diff --git a/helmfile/apps/nubus/values-nubus.yaml.gotmpl b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
index be554745..edeb2c2a 100644
--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
@@ -113,6 +113,11 @@ global:
           token_validity_period: 172800
           blacklist:
             groups: __DELETE_KEY__
+          limit:
+            total:
+              day: {{ .Values.security.passwordResetLimits.day }}
+              hour: {{ .Values.security.passwordResetLimits.hour }}
+              minute: {{ .Values.security.passwordResetLimits.minute }}
 
 ingress:
   annotations:
diff --git a/helmfile/environments/default/security.yaml.gotmpl b/helmfile/environments/default/security.yaml.gotmpl
index 6b60e6bd..aaf20333 100644
--- a/helmfile/environments/default/security.yaml.gotmpl
+++ b/helmfile/environments/default/security.yaml.gotmpl
@@ -12,4 +12,11 @@ security:
       matchLabels:
         app.kubernetes.io/name: "ingress-nginx"
     namespace: "ingress-nginx"
+
+  # Global limits for how often a password reset action can be requested.
+  # Defaults are taken from the nubus stack-data-ums chart and should work with most small to medium installations
+  passwordResetLimits:
+    day: 1000
+    hour: 200
+    minute: 120
 ...