From 09f54b41347ff5c90064c8d4c2c6a9db7f05d54c Mon Sep 17 00:00:00 2001
From: Lilly Sell <sell@b1-systems.de>
Date: Wed, 30 Jul 2025 17:49:25 +0200
Subject: [PATCH] feat(nubus): Allow configuration of limits for password reset
 requests via `security.passwordResetLimits`

---
 helmfile/apps/nubus/values-nubus.yaml.gotmpl       | 5 +++++
 helmfile/environments/default/security.yaml.gotmpl | 7 +++++++
 2 files changed, 12 insertions(+)

diff --git a/helmfile/apps/nubus/values-nubus.yaml.gotmpl b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
index be554745..edeb2c2a 100644
--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
@@ -113,6 +113,11 @@ global:
           token_validity_period: 172800
           blacklist:
             groups: __DELETE_KEY__
+          limit:
+            total:
+              day: {{ .Values.security.passwordResetLimits.day }}
+              hour: {{ .Values.security.passwordResetLimits.hour }}
+              minute: {{ .Values.security.passwordResetLimits.minute }}
 
 ingress:
   annotations:
diff --git a/helmfile/environments/default/security.yaml.gotmpl b/helmfile/environments/default/security.yaml.gotmpl
index 6b60e6bd..aaf20333 100644
--- a/helmfile/environments/default/security.yaml.gotmpl
+++ b/helmfile/environments/default/security.yaml.gotmpl
@@ -12,4 +12,11 @@ security:
       matchLabels:
         app.kubernetes.io/name: "ingress-nginx"
     namespace: "ingress-nginx"
+
+  # Global limits for how often a password reset action can be requested.
+  # Defaults are taken from the nubus stack-data-ums chart and should work with most small to medium installations
+  passwordResetLimits:
+    day: 1000
+    hour: 200
+    minute: 120
 ...