# Development-tuned Mailu configuration
global:
  # Using Unbound DNS for DNSSEC validation (required by Mailu admin)
  # This value is dynamically set via --set during helm install:
  #   UNBOUND_IP=$(kubectl get svc unbound-dns -n bakery-ia -o jsonpath='{.spec.clusterIP}')
  #   helm upgrade --install mailu ... --set global.custom_dns_servers="$UNBOUND_IP"
  # Default fallback to Kubernetes DNS (will be overridden by --set)
  custom_dns_servers: "10.96.0.10"  # Override with Unbound IP via --set

# Redis configuration - use built-in Mailu Redis (no authentication needed)
externalRedis:
  enabled: false

# Component-specific DNS configuration
# Admin requires DNSSEC validation - use Unbound DNS (forwards cluster.local to kube-dns)
# NOTE: dnsConfig.nameservers is dynamically set via --set during helm install
admin:
  dnsPolicy: "None"
  dnsConfig:
    nameservers:
      - "10.96.0.10"   # Override with Unbound IP via --set admin.dnsConfig.nameservers[0]
    searches:
      - "bakery-ia.svc.cluster.local"
      - "svc.cluster.local"
      - "cluster.local"
    options:
      - name: ndots
        value: "5"

# RSPAMD needs Unbound for DNSSEC validation (DKIM/SPF/DMARC checks)
# Using ClusterFirst with search domains + Kubernetes DNS which can forward to Unbound
rspamd:
  dnsPolicy: "ClusterFirst"

# Domain configuration for dev
# NOTE: Using .dev TLD instead of .local because email-validator library
# rejects .local domains as "special-use or reserved names" (RFC 6761)
domain: "bakery-ia.dev"
hostnames:
  - "mail.bakery-ia.dev"

# Initial admin account for dev environment
# Password is stored in mailu-admin-credentials secret
initialAccount:
  enabled: true
  username: "admin"
  domain: "bakery-ia.dev"
  existingSecret: "mailu-admin-credentials"
  existingSecretPasswordKey: "password"
  mode: "ifmissing"

# External relay configuration for dev (Mailgun)
# All outbound emails will be relayed through Mailgun SMTP
# To configure:
#   1. Register at mailgun.com and verify your domain (bakery-ia.dev)
#   2. Get your SMTP credentials from Mailgun dashboard
#   3. Update the secret in configs/mailgun-credentials-secret.yaml
#   4. Apply the secret: kubectl apply -f configs/mailgun-credentials-secret.yaml -n bakery-ia
externalRelay:
  host: "[smtp.mailgun.org]:587"
  # Credentials loaded from Kubernetes secret
  secretName: "mailu-mailgun-credentials"
  usernameKey: "RELAY_USERNAME"
  passwordKey: "RELAY_PASSWORD"

# Environment-specific configurations
persistence:
  enabled: true
  # Development: use default storage class
  storageClass: "standard"
  size: "5Gi"

# Resource optimizations for development
resources:
  admin:
    requests:
      cpu: "100m"
      memory: "128Mi"
    limits:
      cpu: "500m"
      memory: "256Mi"
  front:
    requests:
      cpu: "50m"
      memory: "64Mi"
    limits:
      cpu: "200m"
      memory: "128Mi"
  postfix:
    requests:
      cpu: "100m"
      memory: "128Mi"
    limits:
      cpu: "300m"
      memory: "256Mi"
  dovecot:
    requests:
      cpu: "100m"
      memory: "128Mi"
    limits:
      cpu: "300m"
      memory: "256Mi"
  rspamd:
    requests:
      cpu: "50m"
      memory: "64Mi"
    limits:
      cpu: "200m"
      memory: "128Mi"
  webmail:
    requests:
      cpu: "50m"
      memory: "64Mi"
    limits:
      cpu: "200m"
      memory: "128Mi"
  clamav:
    requests:
      cpu: "100m"
      memory: "256Mi"
    limits:
      cpu: "300m"
      memory: "512Mi"

replicaCount: 1  # Single replica for development

# Security settings
secretKey: "generate-strong-key-here-for-development"

# Ingress configuration for development - disabled to use with existing ingress
ingress:
  enabled: false  # Disable chart's Ingress; use existing one
  tls: false      # Disable TLS in chart since ingress handles it
  tlsFlavorOverride: notls  # No TLS on internal NGINX; expect external proxy to handle TLS
  realIpHeader: X-Forwarded-For  # Header for client IP from your Ingress
  realIpFrom: 0.0.0.0/0  # Trust all proxies (restrict to your Ingress pod CIDR for security)
  path: /
  pathType: ImplementationSpecific

# TLS flavor for dev (may use self-signed)
tls:
  flavor: "notls"  # Disable TLS for development

# Welcome message (disabled in dev)
welcomeMessage:
  enabled: false

# Log level for dev
logLevel: "DEBUG"

# Development-specific overrides
env:
  DEBUG: "true"
  LOG_LEVEL: "INFO"

# Disable or simplify monitoring in development
monitoring:
  enabled: false

# Network Policy for dev
networkPolicy:
  enabled: true
  ingressController:
    namespace: ingress-nginx
    podSelector: |
      matchLabels:
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/component: controller
  monitoring:
    namespace: monitoring
    podSelector: |
      matchLabels:
        app: signoz-prometheus