# Production-specific Mailu Helm values for Bakery-IA
# Overrides base configuration for production environment

# Domain configuration for production
domain: "bakewise.ai"
hostnames:
  - "mail.bakewise.ai"

# External relay configuration for production
externalRelay:
  host: "[smtp.mailgun.org]:587"
  username: "postmaster@bakewise.ai"
  password: "PRODUCTION_MAILGUN_API_KEY"  # This should be set via secret

# Ingress configuration for production - disabled to use with existing ingress
ingress:
  enabled: false  # Disable chart's Ingress; use existing one
  tls: false      # Disable TLS in chart since ingress handles it
  tlsFlavorOverride: notls  # No TLS on internal NGINX; expect external proxy to handle TLS
  realIpHeader: X-Forwarded-For  # Header for client IP from your Ingress
  realIpFrom: 0.0.0.0/0  # Trust all proxies (restrict to your Ingress pod CIDR for security)
  path: /
  pathType: ImplementationSpecific

# TLS flavor for production (uses Let's Encrypt)
tls:
  flavor: "cert"

# Welcome message (enabled in production)
welcomeMessage:
  enabled: true
  subject: "Welcome to Bakewise.ai Email Service"
  body: "Welcome to our email service. Please change your password and update your profile."

# Log level for production
logLevel: "WARNING"

# Enable antivirus in production
antivirus:
  enabled: true
  flavor: "clamav"

# Network Policy for production
networkPolicy:
  enabled: true
  ingressController:
    namespace: ingress-nginx
    podSelector: |
      matchLabels:
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/component: controller
  monitoring:
    namespace: monitoring
    podSelector: |
      matchLabels:
        app: signoz-prometheus