164 lines
4.2 KiB
YAML
164 lines
4.2 KiB
YAML
# Production-tuned Mailu configuration
|
|
global:
|
|
# Using Kubernetes cluster DNS for name resolution
|
|
custom_dns_servers: "10.96.0.10" # Kubernetes cluster DNS IP
|
|
|
|
# Redis configuration - use built-in Mailu Redis (no authentication needed for internal)
|
|
externalRedis:
|
|
enabled: false
|
|
|
|
# DNS configuration for production
|
|
# Use Kubernetes DNS (ClusterFirst) which forwards to Unbound via CoreDNS
|
|
# This is configured automatically by the mailu-helm Tilt resource
|
|
admin:
|
|
dnsPolicy: "ClusterFirst"
|
|
|
|
rspamd:
|
|
dnsPolicy: "ClusterFirst"
|
|
|
|
# Domain configuration for production
|
|
domain: "bakewise.ai"
|
|
hostnames:
|
|
- "mail.bakewise.ai"
|
|
|
|
# Initial admin account for production environment
|
|
# Password is stored in mailu-admin-credentials secret
|
|
initialAccount:
|
|
enabled: true
|
|
username: "admin"
|
|
domain: "bakewise.ai"
|
|
existingSecret: "mailu-admin-credentials"
|
|
existingSecretPasswordKey: "password"
|
|
mode: "ifmissing"
|
|
|
|
# External relay configuration for production (Mailgun)
|
|
# All outbound emails will be relayed through Mailgun SMTP
|
|
# To configure:
|
|
# 1. Register at mailgun.com and verify your domain (bakewise.ai)
|
|
# 2. Get your SMTP credentials from Mailgun dashboard
|
|
# 3. Update the secret in configs/mailgun-credentials-secret.yaml
|
|
# 4. Apply the secret: kubectl apply -f configs/mailgun-credentials-secret.yaml -n bakery-ia
|
|
externalRelay:
|
|
host: "[smtp.mailgun.org]:587"
|
|
# Credentials loaded from Kubernetes secret
|
|
secretName: "mailu-mailgun-credentials"
|
|
usernameKey: "RELAY_USERNAME"
|
|
passwordKey: "RELAY_PASSWORD"
|
|
|
|
# Environment-specific configurations
|
|
persistence:
|
|
enabled: true
|
|
# Production: use microk8s-hostpath (default storage class)
|
|
storageClass: "" # Use cluster default storage class
|
|
size: "20Gi" # Larger storage for production email volume
|
|
|
|
# Resource allocations for production
|
|
resources:
|
|
admin:
|
|
requests:
|
|
cpu: "200m"
|
|
memory: "256Mi"
|
|
limits:
|
|
cpu: "1"
|
|
memory: "512Mi"
|
|
front:
|
|
requests:
|
|
cpu: "100m"
|
|
memory: "128Mi"
|
|
limits:
|
|
cpu: "500m"
|
|
memory: "256Mi"
|
|
postfix:
|
|
requests:
|
|
cpu: "200m"
|
|
memory: "256Mi"
|
|
limits:
|
|
cpu: "1"
|
|
memory: "512Mi"
|
|
dovecot:
|
|
requests:
|
|
cpu: "200m"
|
|
memory: "256Mi"
|
|
limits:
|
|
cpu: "1"
|
|
memory: "512Mi"
|
|
rspamd:
|
|
requests:
|
|
cpu: "100m"
|
|
memory: "128Mi"
|
|
limits:
|
|
cpu: "500m"
|
|
memory: "256Mi"
|
|
clamav:
|
|
requests:
|
|
cpu: "200m"
|
|
memory: "512Mi"
|
|
limits:
|
|
cpu: "1"
|
|
memory: "1Gi"
|
|
|
|
replicaCount: 1 # Can be increased in production as needed
|
|
|
|
# Security settings
|
|
secretKey: "generate-strong-key-here-for-production"
|
|
|
|
# Ingress configuration for production - disabled to use with existing ingress
|
|
ingress:
|
|
enabled: false # Disable chart's Ingress; use existing one
|
|
tls: false # Disable TLS in chart since ingress handles it
|
|
tlsFlavorOverride: notls # No TLS on internal NGINX; expect external proxy to handle TLS
|
|
realIpHeader: X-Forwarded-For # Header for client IP from your Ingress
|
|
realIpFrom: 0.0.0.0/0 # Trust all proxies (restrict to your Ingress pod CIDR for security)
|
|
path: /
|
|
pathType: ImplementationSpecific
|
|
|
|
# TLS flavor for production (uses Let's Encrypt)
|
|
tls:
|
|
flavor: "cert"
|
|
|
|
# Welcome message (enabled in production)
|
|
welcomeMessage:
|
|
enabled: true
|
|
subject: "Welcome to Bakewise.ai Email Service"
|
|
body: "Welcome to our email service. Please change your password and update your profile."
|
|
|
|
# Log level for production
|
|
logLevel: "WARNING"
|
|
|
|
# Enable antivirus in production
|
|
antivirus:
|
|
enabled: true
|
|
flavor: "clamav"
|
|
|
|
# Production-specific settings
|
|
env:
|
|
DEBUG: "false"
|
|
LOG_LEVEL: "WARNING"
|
|
TLS_FLAVOR: "cert"
|
|
REDIS_PASSWORD: "secure-redis-password"
|
|
|
|
# Enable monitoring in production
|
|
monitoring:
|
|
enabled: true
|
|
|
|
# Production-specific security settings
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
fsGroup: 1000
|
|
|
|
# Network policies for production
|
|
networkPolicy:
|
|
enabled: true
|
|
ingressController:
|
|
namespace: ingress-nginx
|
|
podSelector: |
|
|
matchLabels:
|
|
app.kubernetes.io/name: ingress-nginx
|
|
app.kubernetes.io/instance: ingress-nginx
|
|
app.kubernetes.io/component: controller
|
|
monitoring:
|
|
namespace: monitoring
|
|
podSelector: |
|
|
matchLabels:
|
|
app: signoz-prometheus |