Initial commit - production deployment

2026-01-21 17:17:16 +01:00
commit c23d00dd92
2289 changed files with 638440 additions and 0 deletions
--- a/infrastructure/platform/mail/mailu-helm/dev/values.yaml
+++ b/infrastructure/platform/mail/mailu-helm/dev/values.yaml
@@ -0,0 +1,171 @@
+# Development-tuned Mailu configuration
+global:
+  # Using Unbound DNS for DNSSEC validation (required by Mailu admin)
+  # Unbound service is available at unbound-dns.bakery-ia.svc.cluster.local
+  # Static ClusterIP configured in unbound-helm/values.yaml
+  custom_dns_servers: "10.96.53.53"  # Unbound DNS static ClusterIP
+
+# Redis configuration - use built-in Mailu Redis (no authentication needed)
+externalRedis:
+  enabled: false
+
+# Component-specific DNS configuration
+# Admin requires DNSSEC validation - use Unbound DNS (forwards cluster.local to kube-dns)
+admin:
+  dnsPolicy: "None"
+  dnsConfig:
+    nameservers:
+      - "10.96.53.53"   # Unbound DNS static ClusterIP (forwards cluster.local to kube-dns)
+    searches:
+      - "bakery-ia.svc.cluster.local"
+      - "svc.cluster.local"
+      - "cluster.local"
+    options:
+      - name: ndots
+        value: "5"
+
+# RSPAMD needs Unbound for DNSSEC validation (DKIM/SPF/DMARC checks)
+# Using ClusterFirst with search domains + Kubernetes DNS which can forward to Unbound
+rspamd:
+  dnsPolicy: "ClusterFirst"
+
+# Domain configuration for dev
+# NOTE: Using .dev TLD instead of .local because email-validator library
+# rejects .local domains as "special-use or reserved names" (RFC 6761)
+domain: "bakery-ia.dev"
+hostnames:
+  - "mail.bakery-ia.dev"
+
+# Initial admin account for dev environment
+# Password is stored in mailu-admin-credentials secret
+initialAccount:
+  enabled: true
+  username: "admin"
+  domain: "bakery-ia.dev"
+  existingSecret: "mailu-admin-credentials"
+  existingSecretPasswordKey: "password"
+  mode: "ifmissing"
+
+# External relay configuration for dev (Mailgun)
+# All outbound emails will be relayed through Mailgun SMTP
+# To configure:
+#   1. Register at mailgun.com and verify your domain (bakery-ia.dev)
+#   2. Get your SMTP credentials from Mailgun dashboard
+#   3. Update the secret in configs/mailgun-credentials-secret.yaml
+#   4. Apply the secret: kubectl apply -f configs/mailgun-credentials-secret.yaml -n bakery-ia
+externalRelay:
+  host: "[smtp.mailgun.org]:587"
+  # Credentials loaded from Kubernetes secret
+  secretName: "mailu-mailgun-credentials"
+  usernameKey: "RELAY_USERNAME"
+  passwordKey: "RELAY_PASSWORD"
+
+# Environment-specific configurations
+persistence:
+  enabled: true
+  # Development: use default storage class
+  storageClass: "standard"
+  size: "5Gi"
+
+# Resource optimizations for development
+resources:
+  admin:
+    requests:
+      cpu: "100m"
+      memory: "128Mi"
+    limits:
+      cpu: "500m"
+      memory: "256Mi"
+  front:
+    requests:
+      cpu: "50m"
+      memory: "64Mi"
+    limits:
+      cpu: "200m"
+      memory: "128Mi"
+  postfix:
+    requests:
+      cpu: "100m"
+      memory: "128Mi"
+    limits:
+      cpu: "300m"
+      memory: "256Mi"
+  dovecot:
+    requests:
+      cpu: "100m"
+      memory: "128Mi"
+    limits:
+      cpu: "300m"
+      memory: "256Mi"
+  rspamd:
+    requests:
+      cpu: "50m"
+      memory: "64Mi"
+    limits:
+      cpu: "200m"
+      memory: "128Mi"
+  webmail:
+    requests:
+      cpu: "50m"
+      memory: "64Mi"
+    limits:
+      cpu: "200m"
+      memory: "128Mi"
+  clamav:
+    requests:
+      cpu: "100m"
+      memory: "256Mi"
+    limits:
+      cpu: "300m"
+      memory: "512Mi"
+
+replicaCount: 1  # Single replica for development
+
+# Security settings
+secretKey: "generate-strong-key-here-for-development"
+
+# Ingress configuration for development - disabled to use with existing ingress
+ingress:
+  enabled: false  # Disable chart's Ingress; use existing one
+  tls: false      # Disable TLS in chart since ingress handles it
+  tlsFlavorOverride: notls  # No TLS on internal NGINX; expect external proxy to handle TLS
+  realIpHeader: X-Forwarded-For  # Header for client IP from your Ingress
+  realIpFrom: 0.0.0.0/0  # Trust all proxies (restrict to your Ingress pod CIDR for security)
+  path: /
+  pathType: ImplementationSpecific
+
+# TLS flavor for dev (may use self-signed)
+tls:
+  flavor: "notls"  # Disable TLS for development
+
+# Welcome message (disabled in dev)
+welcomeMessage:
+  enabled: false
+
+# Log level for dev
+logLevel: "DEBUG"
+
+# Development-specific overrides
+env:
+  DEBUG: "true"
+  LOG_LEVEL: "INFO"
+
+# Disable or simplify monitoring in development
+monitoring:
+  enabled: false
+
+# Network Policy for dev
+networkPolicy:
+  enabled: true
+  ingressController:
+    namespace: ingress-nginx
+    podSelector: |
+      matchLabels:
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/component: controller
+  monitoring:
+    namespace: monitoring
+    podSelector: |
+      matchLabels:
+        app: signoz-prometheus