# Development-tuned Mailu configuration
global:
  # Using Unbound DNS for DNSSEC validation (required by Mailu admin)
  # Unbound service is available at unbound-dns.bakery-ia.svc.cluster.local
  custom_dns_servers: "10.98.197.120"  # Unbound DNS service IP

# Redis configuration - use built-in Mailu Redis (no authentication needed)
externalRedis:
  enabled: false

# Component-specific DNS configuration
# Admin requires DNSSEC validation - use Unbound DNS (forwards cluster.local to kube-dns)
admin:
  dnsPolicy: "None"
  dnsConfig:
    nameservers:
      - "10.98.197.120"   # Unbound DNS for DNSSEC validation (forwards cluster.local to kube-dns)
    searches:
      - "bakery-ia.svc.cluster.local"
      - "svc.cluster.local"
      - "cluster.local"
    options:
      - name: ndots
        value: "5"

# RSPAMD needs Unbound for DNSSEC validation (DKIM/SPF/DMARC checks)
# Using ClusterFirst with search domains + Kubernetes DNS which can forward to Unbound
rspamd:
  dnsPolicy: "ClusterFirst"

# Domain configuration for dev
# NOTE: Using .dev TLD instead of .local because email-validator library
# rejects .local domains as "special-use or reserved names" (RFC 6761)
domain: "bakery-ia.dev"
hostnames:
  - "mail.bakery-ia.dev"

# External relay configuration for dev
externalRelay:
  host: "[smtp.mailgun.org]:587"
  username: "postmaster@bakery-ia.dev"
  password: "mailgun-api-key-replace-in-production"

# Environment-specific configurations
persistence:
  enabled: true
  # Development: use default storage class
  storageClass: "standard"
  size: "5Gi"

# Resource optimizations for development
resources:
  admin:
    requests:
      cpu: "100m"
      memory: "128Mi"
    limits:
      cpu: "500m"
      memory: "256Mi"
  front:
    requests:
      cpu: "50m"
      memory: "64Mi"
    limits:
      cpu: "200m"
      memory: "128Mi"
  postfix:
    requests:
      cpu: "100m"
      memory: "128Mi"
    limits:
      cpu: "300m"
      memory: "256Mi"
  dovecot:
    requests:
      cpu: "100m"
      memory: "128Mi"
    limits:
      cpu: "300m"
      memory: "256Mi"
  rspamd:
    requests:
      cpu: "50m"
      memory: "64Mi"
    limits:
      cpu: "200m"
      memory: "128Mi"
  clamav:
    requests:
      cpu: "100m"
      memory: "256Mi"
    limits:
      cpu: "300m"
      memory: "512Mi"

replicaCount: 1  # Single replica for development

# Security settings
secretKey: "generate-strong-key-here-for-development"

# Ingress configuration for development - disabled to use with existing ingress
ingress:
  enabled: false  # Disable chart's Ingress; use existing one
  tls: false      # Disable TLS in chart since ingress handles it
  tlsFlavorOverride: notls  # No TLS on internal NGINX; expect external proxy to handle TLS
  realIpHeader: X-Forwarded-For  # Header for client IP from your Ingress
  realIpFrom: 0.0.0.0/0  # Trust all proxies (restrict to your Ingress pod CIDR for security)
  path: /
  pathType: ImplementationSpecific

# TLS flavor for dev (may use self-signed)
tls:
  flavor: "notls"  # Disable TLS for development

# Welcome message (disabled in dev)
welcomeMessage:
  enabled: false

# Log level for dev
logLevel: "DEBUG"

# Development-specific overrides
env:
  DEBUG: "true"
  LOG_LEVEL: "INFO"

# Disable or simplify monitoring in development
monitoring:
  enabled: false

# Network Policy for dev
networkPolicy:
  enabled: true
  ingressController:
    namespace: ingress-nginx
    podSelector: |
      matchLabels:
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/component: controller
  monitoring:
    namespace: monitoring
    podSelector: |
      matchLabels:
        app: signoz-prometheus