# Default values for stalwart.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
global:
  image:
    # -- if set it will overwrite all registry entries
    registry:
    # -- if set it will overwrite all pullPolicy
    pullPolicy:

replicaCount: 1

image:
  registry: docker.io
  repository: stalwartlabs/mail-server
  pullPolicy: IfNotPresent
  # -- Overrides the image tag whose default is the chart appVersion.
  tag: ''

imagePullSecrets: []
nameOverride: ''
fullnameOverride: ''

config:
  server:
    listener:
      smtp:
        bind: ['[::]:25']
        protocol: 'smtp'
      submission:
        bind: ['[::]:587']
        protocol: 'smtp'
      submissions:
        bind: ['[::]:465']
        protocol: 'smtp'
        tls:
          implicit: true
      imap:
        bind: ['[::]:143']
        protocol: 'imap'
      imaptls:
        bind: ['[::]:993']
        protocol: 'imap'
        tls:
          implicit: true

      sieve:
        bind: ['[::]:4190']
        protocol: 'managesieve'

      https:
        protocol: 'http'
        bind: ['[::]:80']
        tls:
          implicit: true

    run-as:
      # -- server run-as user
      user: 'stalwart-mail'
      # -- server run-as group
      group: 'stalwart-mail'

  storage:
    data: 'rocksdb'
    fts: 'rocksdb'
    blob: 'rocksdb'
    lookup: 'rocksdb'
    directory: 'internal'

  store:
    rocksdb:
      type: rocksdb
      path: '/data'
      compression: 'lz4'

  directory:
    internal:
      type: 'internal'
      store: 'rocksdb'

  tracer:
    otel:
      enable: false
      type: 'open-telemetry'
      level: 'info'
      # -- grpc or http
      transport: 'grpc'
      endpoint: 'https://127.0.0.1/otel'
      # -- headers for usage with http (e.g. 'Authorization: <place_auth_here>')
      headers: []
    stdout:
      enable: true
      type: 'stdout'
      level: 'info'
      ansi: false

  auth:
    dkim:
      # -- auth rule for signing with dkim
      # @section -- DKIM
      sign:
        - if: "listener != 'smtp'"
          then: "['rsa', 'ed25519']"
        - else: false
      # -- verify of dkim signature (relaxed, strict, disable)
      # @section -- DKIM
      verify: 'relaxed'

  authentication:
    fallback-admin:
      # -- username for fallback authentfication
      # @section -- Authentification
      user: 'admin'
      # -- password for fallback authentfication (use env for store in secrets of kubernetes)
      # @section -- Authentification
      secret: '%{env:FALLBACK_ADMIN_SECRET}%'

secrets:
  env:
    # -- password for fallback authentfication (env)
    # @section -- Authentification
    FALLBACK_ADMIN_SECRET: supersecret

serviceAccount:
  # Specifies whether a service account should be created
  create: false
  # Automatically mount a ServiceAccount's API credentials?
  automount: true
  # Annotations to add to the service account
  annotations: {}
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ''

podAnnotations: {}
podLabels: {}

env: []

podSecurityContext:
  {}
  # fsGroup: 2000

securityContext:
  {}
  # capabilities:
  #   drop:
  #   - ALL
  # readOnlyRootFilesystem: true
  # runAsNonRoot: true
  # runAsUser: 1000

service:
  type: ClusterIP
  ipFamilies: ['IPv4']
  # -- other option is RequireDualStack
  ipFamilyPolicy: 'SingleStack'
  annotations: {}
  ports:
    smtp: 25
    smtp-submission: 587
    smtps: 465
    imap: 143
    imaps: 993
    sieve: 4190
    http: 80

ingress:
  enabled: false
  className: ''
  annotations:
    {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
  hosts:
    - host: chart-example.local
      paths:
        - path: /
          pathType: ImplementationSpecific
  tls: []
  #  - secretName: chart-example-tls
  #    hosts:
  #      - chart-example.local

traefik:
  enabled: false
  ports:
    http: websecure
    imaps: imaps
    smtps: smtps

certificate:
  # -- not needed if certmanager is used
  secretName:
  certmanager:
    enabled: true
    issuerRef:
      group: cert-manager.io
      kind: ClusterIssuer
      name: letsencrypt-prod
    dnsNames:
      - 'chart-example.local'

resources:
  {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  # limits:
  #   cpu: 100m
  #   memory: 128Mi
  # requests:
  #   cpu: 100m
  #   memory: 128Mi

autoscaling:
  enabled: false
  minReplicas: 1
  maxReplicas: 100
  targetCPUUtilizationPercentage: 80
  # targetMemoryUtilizationPercentage: 80

# Additional volumes on the output Deployment definition.
volumes: []
# - name: foo
#   secret:
#     secretName: mysecret
#     optional: false

# Additional volumeMounts on the output Deployment definition.
volumeMounts: []
# - name: foo
#   mountPath: "/etc/foo"
#   readOnly: true

nodeSelector: {}

tolerations: []

affinity: {}

persistence:
  # -- Enable persistence using Persistent Volume Claims
  # ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
  enabled: true
  annotations: {}
  # -- Persistent Volume Storage Class
  # If defined, storageClassName: <storageClass>
  # If set to "-", storageClassName: "", which disables dynamic provisioning
  # If undefined (the default) or set to null, no storageClassName spec is
  #   set, choosing the default provisioner.  (gp2 on AWS, standard on
  #   GKE, AWS & OpenStack)
  storageClass:

  # -- A manually managed Persistent Volume and Claim
  # Requires persistence.enabled: true
  # If defined, PVC must be created manually before volume will be bound
  existingClaim:

  # --  Do not create an PVC, direct use hostPath in Pod
  hostPath:
  # --  accessMode
  accessMode: ReadWriteOnce
  # -- size
  size: 10Gi