diff options
| author | Paul Buetow <paul@buetow.org> | 2026-06-19 22:01:56 +0300 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-06-19 22:01:56 +0300 |
| commit | 01e99ef089e3a2370acf554f5ba8cb90f3c0a2bb (patch) | |
| tree | 7f8165750d0b4af133cc7b431554209ef55eeba3 | |
| parent | 9e4c0f14ceab7840ed35b49fd63397783b1c311f (diff) | |
Bridge v3 requires 'pass' as keychain store. The startup script now
initializes a passphrase-free GPG key and pass store on first run (all
persisted on the NFS PVC so restarts reconnect without re-login). Mounts
the full /home/protonmail instead of just .config to cover .gnupg and
.password-store. First-time ProtonMail login via bridge --cli still
required; see deployment comment for instructions.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
| -rw-r--r-- | f3s/protonbridge/helm-chart/templates/deployment.yaml | 50 |
1 files changed, 43 insertions, 7 deletions
diff --git a/f3s/protonbridge/helm-chart/templates/deployment.yaml b/f3s/protonbridge/helm-chart/templates/deployment.yaml index e32a234..e781a0c 100644 --- a/f3s/protonbridge/helm-chart/templates/deployment.yaml +++ b/f3s/protonbridge/helm-chart/templates/deployment.yaml @@ -36,13 +36,49 @@ spec: readOnly: true containers: - name: protonbridge - # shenxn/protonmail-bridge runs the bridge in headless/noninteractive mode. - # On first start, authenticate interactively: - # kubectl exec -it <pod> -n services -- bridge --cli + # shenxn/protonmail-bridge: headless Proton Bridge with CLI. + # Startup script initializes GPG+pass on first run (persisted to PVC), + # then starts bridge. pass is required by Bridge v3 as the keychain store. + # + # FIRST-TIME SETUP (run once after pod starts for the first time): + # kubectl exec -it -n services <pod> -- bridge --cli # > login - # Credentials and session tokens are persisted to the data PVC so - # subsequent restarts reconnect automatically without re-login. + # Enter ProtonMail credentials when prompted. The bridge token and IMAP/SMTP + # passwords are stored in pass (encrypted to the auto-generated GPG key on PVC), + # so subsequent pod restarts reconnect automatically without re-login. + # + # EMAIL CLIENT SETUP: + # After login, run 'info' in bridge --cli to get the per-account IMAP password. + # IMAP: <r-vm-lan-ip>:30143, STARTTLS, accept self-signed cert + # SMTP: <r-vm-lan-ip>:30025, STARTTLS, accept self-signed cert + # Username: your ProtonMail address + # Password: bridge-generated password (shown by 'info' in bridge --cli) image: shenxn/protonmail-bridge:latest + command: + - /bin/sh + - -c + - | + set -e + # Initialize GPG + pass on first run. Reuses existing keys on restart. + if [ ! -d /home/protonmail/.gnupg ] || ! gpg --list-secret-keys 2>/dev/null | grep -q fpr; then + echo "First run: generating GPG key and initializing pass..." + gpg --batch --gen-key <<'GPGEOF' + Key-Type: RSA + Key-Length: 4096 + Name-Real: protonbridge + Name-Email: protonbridge@local + Expire-Date: 0 + %no-passphrase + %commit + GPGEOF + fi + FINGERPRINT=$(gpg --list-secret-keys --with-colons 2>/dev/null | grep fpr | head -1 | cut -d: -f10) + if [ -n "$FINGERPRINT" ] && [ ! -d /home/protonmail/.password-store ]; then + echo "Initializing pass with fingerprint $FINGERPRINT..." + pass init "$FINGERPRINT" + fi + echo "Starting Proton Bridge..." + exec bridge --noninteractive ports: - name: imap containerPort: 1143 @@ -52,8 +88,8 @@ spec: protocol: TCP volumeMounts: - name: protonbridge-data - # Bridge stores its config (tokens, keychain) under ~/.config/protonmail - mountPath: /home/protonmail/.config + # Mount full home dir so GPG keys, pass store, and bridge config all persist + mountPath: /home/protonmail readinessProbe: tcpSocket: port: 1143 |