bakery-admin/bakery-ia
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c3defa3a10330c78497214b2535e51322aa7aac5
bakery-ia/infrastructure/platform/mail/mailu-helm/prod/values.yaml
Bakery Admin c3defa3a10 Fix issues 7
2026-01-23 21:42:31 +01:00

198 lines
6.0 KiB
YAML
Raw Blame History

# Production-tuned Mailu configuration
global:
# Using Kubernetes CoreDNS for DNS resolution
# CoreDNS is configured with DNS-over-TLS (Cloudflare) for DNSSEC validation
custom_dns_servers: "10.152.183.10" # MicroK8s CoreDNS IP
# Redis configuration - use built-in Mailu Redis (no authentication needed for internal)
externalRedis:
enabled: false
# DNS configuration for production
# Use Kubernetes DNS (ClusterFirst) - CoreDNS provides DNSSEC via DNS-over-TLS
admin:
dnsPolicy: "ClusterFirst"
rspamd:
dnsPolicy: "ClusterFirst"
# Domain configuration for production
domain: "bakewise.ai"
hostnames:
- "mail.bakewise.ai"
# Network configuration for MicroK8s
# This must match your cluster's pod CIDR
# MicroK8s default is 10.1.0.0/16, but check with: kubectl cluster-info dump | grep -m 1 cluster-cidr
subnet: "10.1.0.0/16"
# Initial admin account for production environment
# Password is stored in mailu-admin-credentials secret
initialAccount:
enabled: true
username: "admin"
domain: "bakewise.ai"
existingSecret: "mailu-admin-credentials"
existingSecretPasswordKey: "password"
mode: "ifmissing"
# External relay configuration for production (MailerSend)
# All outbound emails will be relayed through MailerSend SMTP
# Secret already exists: mailu-mailersend-credentials
externalRelay:
host: "[smtp.mailersend.net]:2525"
# Credentials loaded from existing Kubernetes secret
# Key names use Helm chart defaults (relay-username, relay-password)
existingSecret: "mailu-mailersend-credentials"
# Postfix configuration
# CRITICAL: podAnnotations ensures Postfix restarts when credentials change
# Without this, Mailu reads SASL credentials only at pod startup and won't pick up secret updates
postfix:
podAnnotations:
# UPDATE THIS VALUE when changing mailu-mailersend-credentials secret
# This triggers a rolling restart of Postfix to reload SASL credentials
# Generate new value: date +%s or use the secret's resourceVersion
credentials-version: "1706054400"
# Environment-specific configurations
persistence:
enabled: true
# Production: use microk8s-hostpath (default storage class)
storageClass: "" # Use cluster default storage class
size: "20Gi" # Larger storage for production email volume
# Resource allocations for production
resources:
admin:
requests:
cpu: "200m"
memory: "256Mi"
limits:
cpu: "1"
memory: "512Mi"
front:
requests:
cpu: "100m"
memory: "128Mi"
limits:
cpu: "500m"
memory: "256Mi"
postfix:
requests:
cpu: "200m"
memory: "256Mi"
limits:
cpu: "1"
memory: "512Mi"
dovecot:
requests:
cpu: "200m"
memory: "256Mi"
limits:
cpu: "1"
memory: "512Mi"
rspamd:
requests:
cpu: "100m"
memory: "128Mi"
limits:
cpu: "500m"
memory: "256Mi"
clamav:
requests:
cpu: "200m"
memory: "512Mi"
limits:
cpu: "1"
memory: "1Gi"
replicaCount: 1 # Can be increased in production as needed
# Security settings
secretKey: "generate-strong-key-here-for-production"
# Ingress configuration for production - disabled to use with existing ingress
# External nginx-ingress handles TLS termination and proxies to Mailu front
ingress:
enabled: false # Disable chart's Ingress; use existing mailu-ingress.yaml
tls: false # Disable TLS in chart since ingress handles it
tlsFlavorOverride: notls # No TLS on internal NGINX; external ingress handles TLS
# CRITICAL: Real IP header configuration for proper client IP detection
# This must match the header set by nginx-ingress (X-Real-IP)
# Reference: https://mailu.io/2.0/reverse.html
realIpHeader: X-Real-IP
realIpFrom: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" # Trust cluster pod CIDRs
path: /
pathType: ImplementationSpecific
# TLS flavor for production
# "notls" because external ingress handles TLS termination
# The ingress sends X-Forwarded-Proto: https to tell Mailu the original protocol
tls:
flavor: "notls"
# Welcome message (enabled in production)
welcomeMessage:
enabled: true
subject: "Welcome to Bakewise.ai Email Service"
body: "Welcome to our email service. Please change your password and update your profile."
# Log level for production
logLevel: "WARNING"
# Enable antivirus in production
antivirus:
enabled: true
flavor: "clamav"
# Production-specific environment settings
# CRITICAL: These must be consistent with the ingress/proxy setup
env:
DEBUG: "false"
LOG_LEVEL: "INFO" # Temporarily set to INFO for debugging
# TLS_FLAVOR must be "notls" when using external reverse proxy for TLS termination
# The ingress handles TLS and sends X-Forwarded-Proto: https
TLS_FLAVOR: "notls"
# Session cookie settings for reverse proxy setup
# SESSION_COOKIE_SECURE must be True since we're serving over HTTPS (via ingress)
SESSION_COOKIE_SECURE: "true"
# Increase session timeout to prevent premature logouts
SESSION_TIMEOUT: "3600"
PERMANENT_SESSION_LIFETIME: "108000"
# CRITICAL: Tell Mailu it's behind a reverse proxy
# This ensures proper URL generation for redirects
PROXY_PROTOCOL: "false"
# Trust the ingress controller's IP for real IP headers
REAL_IP_HEADER: "X-Real-IP"
REAL_IP_FROM: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
# CRITICAL: Disable rate limiting temporarily to debug the sso.php redirect loop
# Reference: https://github.com/Mailu/Mailu/issues/3094
# The webmail can get rate-limited causing infinite redirect loops
AUTH_RATELIMIT_IP: "10000/minute"
AUTH_RATELIMIT_USER: "10000/day"
# Enable monitoring in production
monitoring:
enabled: true
# Production-specific security settings
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
# Network policies for production
# Note: MicroK8s uses 'ingress' namespace, not 'ingress-nginx'
networkPolicy:
enabled: true
ingressController:
namespace: ingress
podSelector: |
matchLabels:
name: nginx-ingress-microk8s
monitoring:
namespace: monitoring
podSelector: |
matchLabels:
app: signoz-prometheus
Reference in New Issue View Git Blame Copy Permalink