174 lines
4.8 KiB
YAML
174 lines
4.8 KiB
YAML
# Development-tuned Mailu configuration
|
|
global:
|
|
# Using Unbound DNS for DNSSEC validation (required by Mailu admin)
|
|
# This value is dynamically set via --set during helm install:
|
|
# UNBOUND_IP=$(kubectl get svc unbound-dns -n bakery-ia -o jsonpath='{.spec.clusterIP}')
|
|
# helm upgrade --install mailu ... --set global.custom_dns_servers="$UNBOUND_IP"
|
|
# Default fallback to Kubernetes DNS (will be overridden by --set)
|
|
custom_dns_servers: "10.96.0.10" # Override with Unbound IP via --set
|
|
|
|
# Redis configuration - use built-in Mailu Redis (no authentication needed)
|
|
externalRedis:
|
|
enabled: false
|
|
|
|
# Component-specific DNS configuration
|
|
# Admin requires DNSSEC validation - use Unbound DNS (forwards cluster.local to kube-dns)
|
|
# NOTE: dnsConfig.nameservers is dynamically set via --set during helm install
|
|
admin:
|
|
dnsPolicy: "None"
|
|
dnsConfig:
|
|
nameservers:
|
|
- "10.96.0.10" # Override with Unbound IP via --set admin.dnsConfig.nameservers[0]
|
|
searches:
|
|
- "bakery-ia.svc.cluster.local"
|
|
- "svc.cluster.local"
|
|
- "cluster.local"
|
|
options:
|
|
- name: ndots
|
|
value: "5"
|
|
|
|
# RSPAMD needs Unbound for DNSSEC validation (DKIM/SPF/DMARC checks)
|
|
# Using ClusterFirst with search domains + Kubernetes DNS which can forward to Unbound
|
|
rspamd:
|
|
dnsPolicy: "ClusterFirst"
|
|
|
|
# Domain configuration for dev
|
|
# NOTE: Using .dev TLD instead of .local because email-validator library
|
|
# rejects .local domains as "special-use or reserved names" (RFC 6761)
|
|
domain: "bakery-ia.dev"
|
|
hostnames:
|
|
- "mail.bakery-ia.dev"
|
|
|
|
# Initial admin account for dev environment
|
|
# Password is stored in mailu-admin-credentials secret
|
|
initialAccount:
|
|
enabled: true
|
|
username: "admin"
|
|
domain: "bakery-ia.dev"
|
|
existingSecret: "mailu-admin-credentials"
|
|
existingSecretPasswordKey: "password"
|
|
mode: "ifmissing"
|
|
|
|
# External relay configuration for dev (Mailgun)
|
|
# All outbound emails will be relayed through Mailgun SMTP
|
|
# To configure:
|
|
# 1. Register at mailgun.com and verify your domain (bakery-ia.dev)
|
|
# 2. Get your SMTP credentials from Mailgun dashboard
|
|
# 3. Update the secret in configs/mailgun-credentials-secret.yaml
|
|
# 4. Apply the secret: kubectl apply -f configs/mailgun-credentials-secret.yaml -n bakery-ia
|
|
externalRelay:
|
|
host: "[smtp.mailgun.org]:587"
|
|
# Credentials loaded from Kubernetes secret
|
|
secretName: "mailu-mailgun-credentials"
|
|
usernameKey: "RELAY_USERNAME"
|
|
passwordKey: "RELAY_PASSWORD"
|
|
|
|
# Environment-specific configurations
|
|
persistence:
|
|
enabled: true
|
|
# Development: use default storage class
|
|
storageClass: "standard"
|
|
size: "5Gi"
|
|
|
|
# Resource optimizations for development
|
|
resources:
|
|
admin:
|
|
requests:
|
|
cpu: "100m"
|
|
memory: "128Mi"
|
|
limits:
|
|
cpu: "500m"
|
|
memory: "256Mi"
|
|
front:
|
|
requests:
|
|
cpu: "50m"
|
|
memory: "64Mi"
|
|
limits:
|
|
cpu: "200m"
|
|
memory: "128Mi"
|
|
postfix:
|
|
requests:
|
|
cpu: "100m"
|
|
memory: "128Mi"
|
|
limits:
|
|
cpu: "300m"
|
|
memory: "256Mi"
|
|
dovecot:
|
|
requests:
|
|
cpu: "100m"
|
|
memory: "128Mi"
|
|
limits:
|
|
cpu: "300m"
|
|
memory: "256Mi"
|
|
rspamd:
|
|
requests:
|
|
cpu: "50m"
|
|
memory: "64Mi"
|
|
limits:
|
|
cpu: "200m"
|
|
memory: "128Mi"
|
|
webmail:
|
|
requests:
|
|
cpu: "50m"
|
|
memory: "64Mi"
|
|
limits:
|
|
cpu: "200m"
|
|
memory: "128Mi"
|
|
clamav:
|
|
requests:
|
|
cpu: "100m"
|
|
memory: "256Mi"
|
|
limits:
|
|
cpu: "300m"
|
|
memory: "512Mi"
|
|
|
|
replicaCount: 1 # Single replica for development
|
|
|
|
# Security settings
|
|
secretKey: "generate-strong-key-here-for-development"
|
|
|
|
# Ingress configuration for development - disabled to use with existing ingress
|
|
ingress:
|
|
enabled: false # Disable chart's Ingress; use existing one
|
|
tls: false # Disable TLS in chart since ingress handles it
|
|
tlsFlavorOverride: notls # No TLS on internal NGINX; expect external proxy to handle TLS
|
|
realIpHeader: X-Forwarded-For # Header for client IP from your Ingress
|
|
realIpFrom: 0.0.0.0/0 # Trust all proxies (restrict to your Ingress pod CIDR for security)
|
|
path: /
|
|
pathType: ImplementationSpecific
|
|
|
|
# TLS flavor for dev (may use self-signed)
|
|
tls:
|
|
flavor: "notls" # Disable TLS for development
|
|
|
|
# Welcome message (disabled in dev)
|
|
welcomeMessage:
|
|
enabled: false
|
|
|
|
# Log level for dev
|
|
logLevel: "DEBUG"
|
|
|
|
# Development-specific overrides
|
|
env:
|
|
DEBUG: "true"
|
|
LOG_LEVEL: "INFO"
|
|
|
|
# Disable or simplify monitoring in development
|
|
monitoring:
|
|
enabled: false
|
|
|
|
# Network Policy for dev
|
|
networkPolicy:
|
|
enabled: true
|
|
ingressController:
|
|
namespace: ingress-nginx
|
|
podSelector: |
|
|
matchLabels:
|
|
app.kubernetes.io/name: ingress-nginx
|
|
app.kubernetes.io/instance: ingress-nginx
|
|
app.kubernetes.io/component: controller
|
|
monitoring:
|
|
namespace: monitoring
|
|
podSelector: |
|
|
matchLabels:
|
|
app: signoz-prometheus |