# Production-tuned Mailu configuration
global:
  # Use the unbound service IP - will be replaced during deployment
  custom_dns_servers: "unbound-dns.bakery-ia.svc.cluster.local"  # Using service DNS name instead of IP

# Component-specific DNS configuration
admin:
  dnsPolicy: "None"
  dnsConfig:
    nameservers:
      - "unbound-dns.bakery-ia.svc.cluster.local"  # Using service DNS name instead of IP

rspamd:
  dnsPolicy: "None"
  dnsConfig:
    nameservers:
      - "unbound-dns.bakery-ia.svc.cluster.local"  # Using service DNS name instead of IP

# Domain configuration for production
domain: "bakewise.ai"
hostnames:
  - "mail.bakewise.ai"

# External relay configuration for production
externalRelay:
  host: "[smtp.mailgun.org]:587"
  username: "postmaster@bakewise.ai"
  password: "PRODUCTION_MAILGUN_API_KEY"  # This should be set via secret

# Environment-specific configurations
persistence:
  enabled: true
  # Production: use microk8s-hostpath or longhorn
  storageClass: "longhorn"  # Assuming Longhorn is available in production
  size: "20Gi"  # Larger storage for production email volume

# Resource allocations for production
resources:
  admin:
    requests:
      cpu: "200m"
      memory: "256Mi"
    limits:
      cpu: "1"
      memory: "512Mi"
  front:
    requests:
      cpu: "100m"
      memory: "128Mi"
    limits:
      cpu: "500m"
      memory: "256Mi"
  postfix:
    requests:
      cpu: "200m"
      memory: "256Mi"
    limits:
      cpu: "1"
      memory: "512Mi"
  dovecot:
    requests:
      cpu: "200m"
      memory: "256Mi"
    limits:
      cpu: "1"
      memory: "512Mi"
  rspamd:
    requests:
      cpu: "100m"
      memory: "128Mi"
    limits:
      cpu: "500m"
      memory: "256Mi"
  clamav:
    requests:
      cpu: "200m"
      memory: "512Mi"
    limits:
      cpu: "1"
      memory: "1Gi"

replicaCount: 1  # Can be increased in production as needed

# Security settings
secretKey: "generate-strong-key-here-for-production"

# Ingress configuration for production - disabled to use with existing ingress
ingress:
  enabled: false  # Disable chart's Ingress; use existing one
  tls: false      # Disable TLS in chart since ingress handles it
  tlsFlavorOverride: notls  # No TLS on internal NGINX; expect external proxy to handle TLS
  realIpHeader: X-Forwarded-For  # Header for client IP from your Ingress
  realIpFrom: 0.0.0.0/0  # Trust all proxies (restrict to your Ingress pod CIDR for security)
  path: /
  pathType: ImplementationSpecific

# TLS flavor for production (uses Let's Encrypt)
tls:
  flavor: "cert"

# Welcome message (enabled in production)
welcomeMessage:
  enabled: true
  subject: "Welcome to Bakewise.ai Email Service"
  body: "Welcome to our email service. Please change your password and update your profile."

# Log level for production
logLevel: "WARNING"

# Enable antivirus in production
antivirus:
  enabled: true
  flavor: "clamav"

# Production-specific settings
env:
  DEBUG: "false"
  LOG_LEVEL: "WARNING"
  TLS_FLAVOR: "cert"
  REDIS_PASSWORD: "secure-redis-password"

# Enable monitoring in production
monitoring:
  enabled: true

# Production-specific security settings
securityContext:
  runAsNonRoot: true
  runAsUser: 1000
  fsGroup: 1000

# Network policies for production
networkPolicy:
  enabled: true
  ingressController:
    namespace: ingress-nginx
    podSelector: |
      matchLabels:
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/component: controller
  monitoring:
    namespace: monitoring
    podSelector: |
      matchLabels:
        app: signoz-prometheus