bakery-ia/infrastructure/platform/mail/mailu-helm/prod/values.yaml

# Production-tuned Mailu configuration
global:
  # Use the unbound service IP - will be replaced during deployment
  custom_dns_servers: "unbound-dns.bakery-ia.svc.cluster.local"  # Using service DNS name instead of IP

# Component-specific DNS configuration
admin:
  dnsPolicy: "None"
  dnsConfig:
    nameservers:
      - "unbound-dns.bakery-ia.svc.cluster.local"  # Using service DNS name instead of IP

rspamd:
  dnsPolicy: "None"
  dnsConfig:
    nameservers:
      - "unbound-dns.bakery-ia.svc.cluster.local"  # Using service DNS name instead of IP

# Domain configuration for production
domain: "bakewise.ai"
hostnames:
  - "mail.bakewise.ai"

# External relay configuration for production
externalRelay:
  host: "[smtp.mailgun.org]:587"
  username: "postmaster@bakewise.ai"
  password: "PRODUCTION_MAILGUN_API_KEY"  # This should be set via secret

# Environment-specific configurations
persistence:
  enabled: true
  # Production: use microk8s-hostpath or longhorn
  storageClass: "longhorn"  # Assuming Longhorn is available in production
  size: "20Gi"  # Larger storage for production email volume

# Resource allocations for production
resources:
  admin:
    requests:
      cpu: "200m"
      memory: "256Mi"
    limits:
      cpu: "1"
      memory: "512Mi"
  front:
    requests:
      cpu: "100m"
      memory: "128Mi"
    limits:
      cpu: "500m"
      memory: "256Mi"
  postfix:
    requests:
      cpu: "200m"
      memory: "256Mi"
    limits:
      cpu: "1"
      memory: "512Mi"
  dovecot:
    requests:
      cpu: "200m"
      memory: "256Mi"
    limits:
      cpu: "1"
      memory: "512Mi"
  rspamd:
    requests:
      cpu: "100m"
      memory: "128Mi"
    limits:
      cpu: "500m"
      memory: "256Mi"
  clamav:
    requests:
      cpu: "200m"
      memory: "512Mi"
    limits:
      cpu: "1"
      memory: "1Gi"

replicaCount: 1  # Can be increased in production as needed

# Security settings
secretKey: "generate-strong-key-here-for-production"

# Ingress configuration for production - disabled to use with existing ingress
ingress:
  enabled: false  # Disable chart's Ingress; use existing one
  tls: false      # Disable TLS in chart since ingress handles it
  tlsFlavorOverride: notls  # No TLS on internal NGINX; expect external proxy to handle TLS
  realIpHeader: X-Forwarded-For  # Header for client IP from your Ingress
  realIpFrom: 0.0.0.0/0  # Trust all proxies (restrict to your Ingress pod CIDR for security)
  path: /
  pathType: ImplementationSpecific

# TLS flavor for production (uses Let's Encrypt)
tls:
  flavor: "cert"

# Welcome message (enabled in production)
welcomeMessage:
  enabled: true
  subject: "Welcome to Bakewise.ai Email Service"
  body: "Welcome to our email service. Please change your password and update your profile."

# Log level for production
logLevel: "WARNING"

# Enable antivirus in production
antivirus:
  enabled: true
  flavor: "clamav"

# Production-specific settings
env:
  DEBUG: "false"
  LOG_LEVEL: "WARNING"
  TLS_FLAVOR: "cert"
  REDIS_PASSWORD: "secure-redis-password"

# Enable monitoring in production
monitoring:
  enabled: true

# Production-specific security settings
securityContext:
  runAsNonRoot: true
  runAsUser: 1000
  fsGroup: 1000

# Network policies for production
networkPolicy:
  enabled: true
  ingressController:
    namespace: ingress-nginx
    podSelector: |
      matchLabels:
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/component: controller
  monitoring:
    namespace: monitoring
    podSelector: |
      matchLabels:
        app: signoz-prometheus
Add new infra architecture 5 2026-01-19 15:15:04 +01:00			`# Production-tuned Mailu configuration`
			`global:`
			`# Use the unbound service IP - will be replaced during deployment`
			`custom_dns_servers: "unbound-dns.bakery-ia.svc.cluster.local" # Using service DNS name instead of IP`

			`# Component-specific DNS configuration`
			`admin:`
			`dnsPolicy: "None"`
			`dnsConfig:`
			`nameservers:`
			`- "unbound-dns.bakery-ia.svc.cluster.local" # Using service DNS name instead of IP`

			`rspamd:`
			`dnsPolicy: "None"`
			`dnsConfig:`
			`nameservers:`
			`- "unbound-dns.bakery-ia.svc.cluster.local" # Using service DNS name instead of IP`
Add new infra architecture 3 2026-01-19 13:57:50 +01:00
			`# Domain configuration for production`
			`domain: "bakewise.ai"`
			`hostnames:`
			`- "mail.bakewise.ai"`

			`# External relay configuration for production`
			`externalRelay:`
			`host: "[smtp.mailgun.org]:587"`
			`username: "postmaster@bakewise.ai"`
			`password: "PRODUCTION_MAILGUN_API_KEY" # This should be set via secret`

Add new infra architecture 5 2026-01-19 15:15:04 +01:00			`# Environment-specific configurations`
			`persistence:`
			`enabled: true`
			`# Production: use microk8s-hostpath or longhorn`
			`storageClass: "longhorn" # Assuming Longhorn is available in production`
			`size: "20Gi" # Larger storage for production email volume`

			`# Resource allocations for production`
			`resources:`
			`admin:`
			`requests:`
			`cpu: "200m"`
			`memory: "256Mi"`
			`limits:`
			`cpu: "1"`
			`memory: "512Mi"`
			`front:`
			`requests:`
			`cpu: "100m"`
			`memory: "128Mi"`
			`limits:`
			`cpu: "500m"`
			`memory: "256Mi"`
			`postfix:`
			`requests:`
			`cpu: "200m"`
			`memory: "256Mi"`
			`limits:`
			`cpu: "1"`
			`memory: "512Mi"`
			`dovecot:`
			`requests:`
			`cpu: "200m"`
			`memory: "256Mi"`
			`limits:`
			`cpu: "1"`
			`memory: "512Mi"`
			`rspamd:`
			`requests:`
			`cpu: "100m"`
			`memory: "128Mi"`
			`limits:`
			`cpu: "500m"`
			`memory: "256Mi"`
			`clamav:`
			`requests:`
			`cpu: "200m"`
			`memory: "512Mi"`
			`limits:`
			`cpu: "1"`
			`memory: "1Gi"`

			`replicaCount: 1 # Can be increased in production as needed`

			`# Security settings`
			`secretKey: "generate-strong-key-here-for-production"`

Add new infra architecture 3 2026-01-19 13:57:50 +01:00			`# Ingress configuration for production - disabled to use with existing ingress`
			`ingress:`
			`enabled: false # Disable chart's Ingress; use existing one`
			`tls: false # Disable TLS in chart since ingress handles it`
			`tlsFlavorOverride: notls # No TLS on internal NGINX; expect external proxy to handle TLS`
			`realIpHeader: X-Forwarded-For # Header for client IP from your Ingress`
			`realIpFrom: 0.0.0.0/0 # Trust all proxies (restrict to your Ingress pod CIDR for security)`
			`path: /`
			`pathType: ImplementationSpecific`

			`# TLS flavor for production (uses Let's Encrypt)`
			`tls:`
			`flavor: "cert"`

			`# Welcome message (enabled in production)`
			`welcomeMessage:`
			`enabled: true`
			`subject: "Welcome to Bakewise.ai Email Service"`
			`body: "Welcome to our email service. Please change your password and update your profile."`

			`# Log level for production`
			`logLevel: "WARNING"`

			`# Enable antivirus in production`
			`antivirus:`
			`enabled: true`
			`flavor: "clamav"`

Add new infra architecture 5 2026-01-19 15:15:04 +01:00			`# Production-specific settings`
			`env:`
			`DEBUG: "false"`
			`LOG_LEVEL: "WARNING"`
			`TLS_FLAVOR: "cert"`
			`REDIS_PASSWORD: "secure-redis-password"`

			`# Enable monitoring in production`
			`monitoring:`
			`enabled: true`

			`# Production-specific security settings`
			`securityContext:`
			`runAsNonRoot: true`
			`runAsUser: 1000`
			`fsGroup: 1000`

			`# Network policies for production`
Add new infra architecture 3 2026-01-19 13:57:50 +01:00			`networkPolicy:`
			`enabled: true`
			`ingressController:`
			`namespace: ingress-nginx`
			`podSelector: \|`
			`matchLabels:`
			`app.kubernetes.io/name: ingress-nginx`
			`app.kubernetes.io/instance: ingress-nginx`
			`app.kubernetes.io/component: controller`
			`monitoring:`
			`namespace: monitoring`
			`podSelector: \|`
			`matchLabels:`
			`app: signoz-prometheus`