Add new infra architecture

infrastructure/security/certificates/mailu/generate-mailu-certificates.sh

@@ -0,0 +1,106 @@
+#!/usr/bin/env bash
+
+# Generate TLS certificates for Mailu mail server
+# Uses the shared CA from the infrastructure
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+CA_DIR="$SCRIPT_DIR/../ca"
+MAILU_DIR="$SCRIPT_DIR"
+
+echo "Generating TLS certificates for Mailu..."
+echo "Directory: $MAILU_DIR"
+echo ""
+
+# Check if CA exists
+if [ ! -f "$CA_DIR/ca-cert.pem" ] || [ ! -f "$CA_DIR/ca-key.pem" ]; then
+    echo "ERROR: CA certificates not found. Please run generate-certificates.sh first."
+    exit 1
+fi
+
+# Clean up old certificates
+echo "Cleaning up old certificates..."
+rm -f "$MAILU_DIR/mailu-cert.pem" "$MAILU_DIR/mailu-key.pem" "$MAILU_DIR/mailu.csr" 2>/dev/null || true
+
+# =====================================
+# Generate Mailu Server Certificates
+# =====================================
+
+echo "Generating Mailu server certificates..."
+
+# Generate Mailu server private key
+openssl genrsa -out "$MAILU_DIR/mailu-key.pem" 4096
+
+# Create certificate signing request (CSR)
+openssl req -new -key "$MAILU_DIR/mailu-key.pem" -out "$MAILU_DIR/mailu.csr" \
+  -subj "/C=US/ST=California/L=SanFrancisco/O=BakeryIA/OU=Mail/CN=mail.bakewise.ai"
+
+# Create SAN configuration for Mailu
+cat > "$MAILU_DIR/san.cnf" <<EOF
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[req_distinguished_name]
+C = US
+ST = California
+L = SanFrancisco
+O = BakeryIA
+OU = Mail
+CN = mail.bakewise.ai
+
+[v3_req]
+keyUsage = keyEncipherment, dataEncipherment, digitalSignature
+extendedKeyUsage = serverAuth, clientAuth
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = mail.bakewise.ai
+DNS.2 = mailu-front.bakery-ia.svc.cluster.local
+DNS.3 = mailu-front.bakery-ia
+DNS.4 = mailu-front
+DNS.5 = localhost
+DNS.6 = *.bakewise.ai
+IP.1 = 127.0.0.1
+EOF
+
+# Sign the certificate with CA (valid for 3 years)
+openssl x509 -req -in "$MAILU_DIR/mailu.csr" \
+  -CA "$CA_DIR/ca-cert.pem" -CAkey "$CA_DIR/ca-key.pem" -CAcreateserial \
+  -out "$MAILU_DIR/mailu-cert.pem" -days 1095 \
+  -extensions v3_req -extfile "$MAILU_DIR/san.cnf"
+
+# Set proper permissions
+chmod 600 "$MAILU_DIR/mailu-key.pem"
+chmod 644 "$MAILU_DIR/mailu-cert.pem"
+
+# Copy CA cert for Mailu clients
+cp "$CA_DIR/ca-cert.pem" "$MAILU_DIR/ca-cert.pem"
+
+echo "✓ Mailu certificates generated"
+echo ""
+
+# =====================================
+# Verify Certificates
+# =====================================
+
+echo "Verifying certificates..."
+echo "Mailu certificate details:"
+openssl x509 -in "$MAILU_DIR/mailu-cert.pem" -noout -subject -issuer -dates
+openssl verify -CAfile "$CA_DIR/ca-cert.pem" "$MAILU_DIR/mailu-cert.pem"
+
+echo ""
+echo "===================="
+echo "✓ Mailu certificates generated successfully!"
+echo ""
+echo "Generated files:"
+echo "  - $MAILU_DIR/mailu-cert.pem (Server certificate)"
+echo "  - $MAILU_DIR/mailu-key.pem (Server private key)"
+echo "  - $MAILU_DIR/ca-cert.pem (CA certificate for clients)"
+echo ""
+echo "Next steps:"
+echo "  1. Create Kubernetes secret: mailu-tls-secret"
+echo "  2. Mount in mailu-front deployment"
+echo ""