# Production-tuned Mailu configuration
global:
  # Using Kubernetes CoreDNS for DNS resolution
  # CoreDNS is configured with DNS-over-TLS (Cloudflare) for DNSSEC validation
  custom_dns_servers: "10.152.183.10"  # MicroK8s CoreDNS IP

# Redis configuration - use built-in Mailu Redis (no authentication needed for internal)
externalRedis:
  enabled: false

# DNS configuration for production
# Use Kubernetes DNS (ClusterFirst) - CoreDNS provides DNSSEC via DNS-over-TLS
admin:
  dnsPolicy: "ClusterFirst"

rspamd:
  dnsPolicy: "ClusterFirst"

# Domain configuration for production
domain: "bakewise.ai"
hostnames:
  - "mail.bakewise.ai"

# Network configuration for MicroK8s
# This must match your cluster's pod CIDR
# MicroK8s default is 10.1.0.0/16, but check with: kubectl cluster-info dump | grep -m 1 cluster-cidr
subnet: "10.1.0.0/16"

# Initial admin account for production environment
# Password is stored in mailu-admin-credentials secret
initialAccount:
  enabled: true
  username: "admin"
  domain: "bakewise.ai"
  existingSecret: "mailu-admin-credentials"
  existingSecretPasswordKey: "password"
  mode: "ifmissing"

# External relay configuration for production (MailerSend)
# All outbound emails will be relayed through MailerSend SMTP
# Secret already exists: mailu-mailersend-credentials
externalRelay:
  host: "[smtp.mailersend.net]:2525"
  # Credentials loaded from existing Kubernetes secret
  secretName: "mailu-mailersend-credentials"
  usernameKey: "RELAY_USERNAME"
  passwordKey: "RELAY_PASSWORD"

# Environment-specific configurations
persistence:
  enabled: true
  # Production: use microk8s-hostpath (default storage class)
  storageClass: ""  # Use cluster default storage class
  size: "20Gi"  # Larger storage for production email volume

# Resource allocations for production
resources:
  admin:
    requests:
      cpu: "200m"
      memory: "256Mi"
    limits:
      cpu: "1"
      memory: "512Mi"
  front:
    requests:
      cpu: "100m"
      memory: "128Mi"
    limits:
      cpu: "500m"
      memory: "256Mi"
  postfix:
    requests:
      cpu: "200m"
      memory: "256Mi"
    limits:
      cpu: "1"
      memory: "512Mi"
  dovecot:
    requests:
      cpu: "200m"
      memory: "256Mi"
    limits:
      cpu: "1"
      memory: "512Mi"
  rspamd:
    requests:
      cpu: "100m"
      memory: "128Mi"
    limits:
      cpu: "500m"
      memory: "256Mi"
  clamav:
    requests:
      cpu: "200m"
      memory: "512Mi"
    limits:
      cpu: "1"
      memory: "1Gi"

replicaCount: 1  # Can be increased in production as needed

# Security settings
secretKey: "generate-strong-key-here-for-production"

# Ingress configuration for production - disabled to use with existing ingress
# External nginx-ingress handles TLS termination and proxies to Mailu front
ingress:
  enabled: false  # Disable chart's Ingress; use existing mailu-ingress.yaml
  tls: false      # Disable TLS in chart since ingress handles it
  tlsFlavorOverride: notls  # No TLS on internal NGINX; external ingress handles TLS
  # CRITICAL: Real IP header configuration for proper client IP detection
  # This must match the header set by nginx-ingress (X-Real-IP)
  # Reference: https://mailu.io/2.0/reverse.html
  realIpHeader: X-Real-IP
  realIpFrom: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"  # Trust cluster pod CIDRs
  path: /
  pathType: ImplementationSpecific

# TLS flavor for production
# "notls" because external ingress handles TLS termination
# The ingress sends X-Forwarded-Proto: https to tell Mailu the original protocol
tls:
  flavor: "notls"

# Welcome message (enabled in production)
welcomeMessage:
  enabled: true
  subject: "Welcome to Bakewise.ai Email Service"
  body: "Welcome to our email service. Please change your password and update your profile."

# Log level for production
logLevel: "WARNING"

# Enable antivirus in production
antivirus:
  enabled: true
  flavor: "clamav"

# Production-specific environment settings
# CRITICAL: These must be consistent with the ingress/proxy setup
env:
  DEBUG: "false"
  LOG_LEVEL: "INFO"  # Temporarily set to INFO for debugging
  # TLS_FLAVOR must be "notls" when using external reverse proxy for TLS termination
  # The ingress handles TLS and sends X-Forwarded-Proto: https
  TLS_FLAVOR: "notls"
  # Session cookie settings for reverse proxy setup
  # SESSION_COOKIE_SECURE must be True since we're serving over HTTPS (via ingress)
  SESSION_COOKIE_SECURE: "true"
  # Increase session timeout to prevent premature logouts
  SESSION_TIMEOUT: "3600"
  PERMANENT_SESSION_LIFETIME: "108000"
  # CRITICAL: Tell Mailu it's behind a reverse proxy
  # This ensures proper URL generation for redirects
  PROXY_PROTOCOL: "false"
  # Trust the ingress controller's IP for real IP headers
  REAL_IP_HEADER: "X-Real-IP"
  REAL_IP_FROM: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
  # CRITICAL: Disable rate limiting temporarily to debug the sso.php redirect loop
  # Reference: https://github.com/Mailu/Mailu/issues/3094
  # The webmail can get rate-limited causing infinite redirect loops
  AUTH_RATELIMIT_IP: "10000/minute"
  AUTH_RATELIMIT_USER: "10000/day"

# Enable monitoring in production
monitoring:
  enabled: true

# Production-specific security settings
securityContext:
  runAsNonRoot: true
  runAsUser: 1000
  fsGroup: 1000

# Network policies for production
# Note: MicroK8s uses 'ingress' namespace, not 'ingress-nginx'
networkPolicy:
  enabled: true
  ingressController:
    namespace: ingress
    podSelector: |
      matchLabels:
        name: nginx-ingress-microk8s
  monitoring:
    namespace: monitoring
    podSelector: |
      matchLabels:
        app: signoz-prometheus