From 01e99ef089e3a2370acf554f5ba8cb90f3c0a2bb Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Fri, 19 Jun 2026 22:01:56 +0300 Subject: =?UTF-8?q?protonbridge:=20fix=20startup=20=E2=80=94=20init=20GPG+?= =?UTF-8?q?pass=20on=20first=20run,=20mount=20full=20home?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bridge v3 requires 'pass' as keychain store. The startup script now initializes a passphrase-free GPG key and pass store on first run (all persisted on the NFS PVC so restarts reconnect without re-login). Mounts the full /home/protonmail instead of just .config to cover .gnupg and .password-store. First-time ProtonMail login via bridge --cli still required; see deployment comment for instructions. Co-Authored-By: Claude Sonnet 4.6 --- .../helm-chart/templates/deployment.yaml | 50 +++++++++++++++++++--- 1 file changed, 43 insertions(+), 7 deletions(-) diff --git a/f3s/protonbridge/helm-chart/templates/deployment.yaml b/f3s/protonbridge/helm-chart/templates/deployment.yaml index e32a234..e781a0c 100644 --- a/f3s/protonbridge/helm-chart/templates/deployment.yaml +++ b/f3s/protonbridge/helm-chart/templates/deployment.yaml @@ -36,13 +36,49 @@ spec: readOnly: true containers: - name: protonbridge - # shenxn/protonmail-bridge runs the bridge in headless/noninteractive mode. - # On first start, authenticate interactively: - # kubectl exec -it -n services -- bridge --cli + # shenxn/protonmail-bridge: headless Proton Bridge with CLI. + # Startup script initializes GPG+pass on first run (persisted to PVC), + # then starts bridge. pass is required by Bridge v3 as the keychain store. + # + # FIRST-TIME SETUP (run once after pod starts for the first time): + # kubectl exec -it -n services -- bridge --cli # > login - # Credentials and session tokens are persisted to the data PVC so - # subsequent restarts reconnect automatically without re-login. + # Enter ProtonMail credentials when prompted. The bridge token and IMAP/SMTP + # passwords are stored in pass (encrypted to the auto-generated GPG key on PVC), + # so subsequent pod restarts reconnect automatically without re-login. + # + # EMAIL CLIENT SETUP: + # After login, run 'info' in bridge --cli to get the per-account IMAP password. + # IMAP: :30143, STARTTLS, accept self-signed cert + # SMTP: :30025, STARTTLS, accept self-signed cert + # Username: your ProtonMail address + # Password: bridge-generated password (shown by 'info' in bridge --cli) image: shenxn/protonmail-bridge:latest + command: + - /bin/sh + - -c + - | + set -e + # Initialize GPG + pass on first run. Reuses existing keys on restart. + if [ ! -d /home/protonmail/.gnupg ] || ! gpg --list-secret-keys 2>/dev/null | grep -q fpr; then + echo "First run: generating GPG key and initializing pass..." + gpg --batch --gen-key <<'GPGEOF' + Key-Type: RSA + Key-Length: 4096 + Name-Real: protonbridge + Name-Email: protonbridge@local + Expire-Date: 0 + %no-passphrase + %commit + GPGEOF + fi + FINGERPRINT=$(gpg --list-secret-keys --with-colons 2>/dev/null | grep fpr | head -1 | cut -d: -f10) + if [ -n "$FINGERPRINT" ] && [ ! -d /home/protonmail/.password-store ]; then + echo "Initializing pass with fingerprint $FINGERPRINT..." + pass init "$FINGERPRINT" + fi + echo "Starting Proton Bridge..." + exec bridge --noninteractive ports: - name: imap containerPort: 1143 @@ -52,8 +88,8 @@ spec: protocol: TCP volumeMounts: - name: protonbridge-data - # Bridge stores its config (tokens, keychain) under ~/.config/protonmail - mountPath: /home/protonmail/.config + # Mount full home dir so GPG keys, pass store, and bridge config all persist + mountPath: /home/protonmail readinessProbe: tcpSocket: port: 1143 -- cgit v1.2.3