2026-01-19 15:15:04 +01:00
|
|
|
# Development-tuned Mailu configuration
|
|
|
|
|
global:
|
2026-01-19 22:28:53 +01:00
|
|
|
# Using Unbound DNS for DNSSEC validation (required by Mailu admin)
|
2026-01-19 16:31:11 +01:00
|
|
|
# Unbound service is available at unbound-dns.bakery-ia.svc.cluster.local
|
2026-01-19 22:28:53 +01:00
|
|
|
custom_dns_servers: "10.98.197.120" # Unbound DNS service IP
|
2026-01-19 16:31:11 +01:00
|
|
|
|
|
|
|
|
# Redis configuration - use built-in Mailu Redis (no authentication needed)
|
|
|
|
|
externalRedis:
|
|
|
|
|
enabled: false
|
2026-01-19 15:15:04 +01:00
|
|
|
|
|
|
|
|
# Component-specific DNS configuration
|
2026-01-19 22:28:53 +01:00
|
|
|
# Admin requires DNSSEC validation - use Unbound DNS (forwards cluster.local to kube-dns)
|
2026-01-19 15:15:04 +01:00
|
|
|
admin:
|
2026-01-19 22:28:53 +01:00
|
|
|
dnsPolicy: "None"
|
|
|
|
|
dnsConfig:
|
|
|
|
|
nameservers:
|
|
|
|
|
- "10.98.197.120" # Unbound DNS for DNSSEC validation (forwards cluster.local to kube-dns)
|
|
|
|
|
searches:
|
|
|
|
|
- "bakery-ia.svc.cluster.local"
|
|
|
|
|
- "svc.cluster.local"
|
|
|
|
|
- "cluster.local"
|
|
|
|
|
options:
|
|
|
|
|
- name: ndots
|
|
|
|
|
value: "5"
|
2026-01-19 15:15:04 +01:00
|
|
|
|
2026-01-19 16:31:11 +01:00
|
|
|
# RSPAMD needs Unbound for DNSSEC validation (DKIM/SPF/DMARC checks)
|
|
|
|
|
# Using ClusterFirst with search domains + Kubernetes DNS which can forward to Unbound
|
2026-01-19 15:15:04 +01:00
|
|
|
rspamd:
|
2026-01-19 16:31:11 +01:00
|
|
|
dnsPolicy: "ClusterFirst"
|
2026-01-19 13:57:50 +01:00
|
|
|
|
|
|
|
|
# Domain configuration for dev
|
2026-01-19 22:28:53 +01:00
|
|
|
# NOTE: Using .dev TLD instead of .local because email-validator library
|
|
|
|
|
# rejects .local domains as "special-use or reserved names" (RFC 6761)
|
|
|
|
|
domain: "bakery-ia.dev"
|
2026-01-19 13:57:50 +01:00
|
|
|
hostnames:
|
2026-01-19 22:28:53 +01:00
|
|
|
- "mail.bakery-ia.dev"
|
2026-01-19 13:57:50 +01:00
|
|
|
|
|
|
|
|
# External relay configuration for dev
|
|
|
|
|
externalRelay:
|
|
|
|
|
host: "[smtp.mailgun.org]:587"
|
2026-01-19 22:28:53 +01:00
|
|
|
username: "postmaster@bakery-ia.dev"
|
2026-01-19 13:57:50 +01:00
|
|
|
password: "mailgun-api-key-replace-in-production"
|
|
|
|
|
|
2026-01-19 15:15:04 +01:00
|
|
|
# Environment-specific configurations
|
|
|
|
|
persistence:
|
|
|
|
|
enabled: true
|
|
|
|
|
# Development: use default storage class
|
|
|
|
|
storageClass: "standard"
|
|
|
|
|
size: "5Gi"
|
|
|
|
|
|
|
|
|
|
# Resource optimizations for development
|
|
|
|
|
resources:
|
|
|
|
|
admin:
|
|
|
|
|
requests:
|
|
|
|
|
cpu: "100m"
|
|
|
|
|
memory: "128Mi"
|
|
|
|
|
limits:
|
|
|
|
|
cpu: "500m"
|
|
|
|
|
memory: "256Mi"
|
|
|
|
|
front:
|
|
|
|
|
requests:
|
|
|
|
|
cpu: "50m"
|
|
|
|
|
memory: "64Mi"
|
|
|
|
|
limits:
|
|
|
|
|
cpu: "200m"
|
|
|
|
|
memory: "128Mi"
|
|
|
|
|
postfix:
|
|
|
|
|
requests:
|
|
|
|
|
cpu: "100m"
|
|
|
|
|
memory: "128Mi"
|
|
|
|
|
limits:
|
|
|
|
|
cpu: "300m"
|
|
|
|
|
memory: "256Mi"
|
|
|
|
|
dovecot:
|
|
|
|
|
requests:
|
|
|
|
|
cpu: "100m"
|
|
|
|
|
memory: "128Mi"
|
|
|
|
|
limits:
|
|
|
|
|
cpu: "300m"
|
|
|
|
|
memory: "256Mi"
|
|
|
|
|
rspamd:
|
|
|
|
|
requests:
|
|
|
|
|
cpu: "50m"
|
|
|
|
|
memory: "64Mi"
|
|
|
|
|
limits:
|
|
|
|
|
cpu: "200m"
|
|
|
|
|
memory: "128Mi"
|
|
|
|
|
clamav:
|
|
|
|
|
requests:
|
|
|
|
|
cpu: "100m"
|
|
|
|
|
memory: "256Mi"
|
|
|
|
|
limits:
|
|
|
|
|
cpu: "300m"
|
|
|
|
|
memory: "512Mi"
|
|
|
|
|
|
|
|
|
|
replicaCount: 1 # Single replica for development
|
|
|
|
|
|
|
|
|
|
# Security settings
|
|
|
|
|
secretKey: "generate-strong-key-here-for-development"
|
|
|
|
|
|
|
|
|
|
# Ingress configuration for development - disabled to use with existing ingress
|
2026-01-19 13:57:50 +01:00
|
|
|
ingress:
|
|
|
|
|
enabled: false # Disable chart's Ingress; use existing one
|
|
|
|
|
tls: false # Disable TLS in chart since ingress handles it
|
|
|
|
|
tlsFlavorOverride: notls # No TLS on internal NGINX; expect external proxy to handle TLS
|
|
|
|
|
realIpHeader: X-Forwarded-For # Header for client IP from your Ingress
|
|
|
|
|
realIpFrom: 0.0.0.0/0 # Trust all proxies (restrict to your Ingress pod CIDR for security)
|
|
|
|
|
path: /
|
|
|
|
|
pathType: ImplementationSpecific
|
|
|
|
|
|
|
|
|
|
# TLS flavor for dev (may use self-signed)
|
|
|
|
|
tls:
|
2026-01-19 16:31:11 +01:00
|
|
|
flavor: "notls" # Disable TLS for development
|
2026-01-19 13:57:50 +01:00
|
|
|
|
|
|
|
|
# Welcome message (disabled in dev)
|
|
|
|
|
welcomeMessage:
|
|
|
|
|
enabled: false
|
|
|
|
|
|
|
|
|
|
# Log level for dev
|
|
|
|
|
logLevel: "DEBUG"
|
|
|
|
|
|
2026-01-19 15:15:04 +01:00
|
|
|
# Development-specific overrides
|
|
|
|
|
env:
|
|
|
|
|
DEBUG: "true"
|
|
|
|
|
LOG_LEVEL: "INFO"
|
|
|
|
|
|
|
|
|
|
# Disable or simplify monitoring in development
|
|
|
|
|
monitoring:
|
|
|
|
|
enabled: false
|
|
|
|
|
|
2026-01-19 13:57:50 +01:00
|
|
|
# Network Policy for dev
|
|
|
|
|
networkPolicy:
|
|
|
|
|
enabled: true
|
|
|
|
|
ingressController:
|
|
|
|
|
namespace: ingress-nginx
|
|
|
|
|
podSelector: |
|
|
|
|
|
matchLabels:
|
|
|
|
|
app.kubernetes.io/name: ingress-nginx
|
|
|
|
|
app.kubernetes.io/instance: ingress-nginx
|
|
|
|
|
app.kubernetes.io/component: controller
|
|
|
|
|
monitoring:
|
|
|
|
|
namespace: monitoring
|
|
|
|
|
podSelector: |
|
|
|
|
|
matchLabels:
|
|
|
|
|
app: signoz-prometheus
|
