# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
certificate:
  secretName: {{ .Values.ingress.tls.secretName | quote }}
  request:
    enabled: false

containerSecurityContext:
  allowPrivilegeEscalation: true
  capabilities: {}
  enabled: true
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: false
  runAsUser: 0
  runAsGroup: 0
  privileged: true
  seLinuxOptions:
    {{ .Values.seLinuxOptions.postfix | toYaml | nindent 4 }}

global:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}

image:
  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.postfix.registry | quote }}
  repository: {{ .Values.images.postfix.repository | quote }}
  tag: {{ .Values.images.postfix.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}

persistence:
  size: {{ .Values.persistence.storages.postfix.size | quote }}
  storageClass: {{ coalesce .Values.persistence.storages.postfix.storageClassName .Values.persistence.storageClassNames.RWO | quote }}

podSecurityContext:
  enabled: true
  fsGroup: 101

postfix:
  amavisHost: ""
  amavisPortIn: ""
  domain: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
  hostname: "postfix"
  inetProtocols: "ipv4"
  messageSizeLimit: {{ mul .Values.functional.groupware.mail.maxSize 1024 1024 | int | printf "%d" | quote }}
  milterDefaultAction: "tempfail"
  {{- if .Values.apps.dkimpy.enabled }}
  dkimpyHost: "opendesk-dkimpy-milter.{{ .Release.Namespace }}.svc.{{.Values.cluster.networking.domain }}:8892"
  {{- end }}
  minTLSVersion: "TLSv1.2"
  smtpdTLSMandatoryCiphers: "medium"
  rspamdHost: ""
  {{- if .Values.smtp.host }}
  relayHost:
    enabled: true
    host: {{ .Values.smtp.host }}
    port: {{ .Values.smtp.port }}
    authentication:
      username:
        value: {{ .Values.smtp.username }}
      password:
        value: {{ .Values.smtp.password }}
  smtpSASLAuthEnable: "yes"
  {{- else }}
  smtpSASLAuthEnable: "no"
  {{- end }}
  allowRelayNets: false
  smtpTLSSecurityLevel: "encrypt"
  smtpdSASLAuthEnable: "yes"
  smtpdSASLSecurityOptions: {{ .Values.smtp.security.smtpdSASLSecurityOptions | join ", " | quote }}
  smtpSASLSecurityOptions: {{ .Values.smtp.security.smtpSASLSecurityOptions | join ", " | quote }}
  smtpdSASLType: "dovecot"
  smtpdTLSSecurityLevel: "encrypt"
  smtpdTLSCertFile: "/etc/tls/tls.crt"
  smtpdKeyFile: "/etc/tls/tls.key"
  smtpdSASLPath: "inet:dovecot:3659"

  staticAuthDB:
    enabled: false

  ldapTransportMaps: []

  ldapVirtualAliasMaps:
    - host: "ums-ldap-server"
      scheme: "ldap"
      port: 389
      baseDn: "{{ .Values.ldap.baseDn }}"
      bindDn: "uid=ldapsearch_postfix,cn=users,{{ .Values.ldap.baseDn }}"
      password:
        value: {{ .Values.secrets.nubus.ldapSearch.postfix | quote }}
      # ldap filter to find groups with mail address
      queryFilter: "(&(|(objectClass=univentionMailList)(objectClass=posixGroup))(|(mailPrimaryAddress=%s)(mailAlternativeAddress=%s)))"
      # -- use this attribute if the query already returns email addresses of members and no recursive lookup needs to be done
      resultAttribute: ""
      # -- do a recursive search on the specified attribute if found, should be a DN
      specialResultAttribute: "uniqueMember"
      # -- return the following attribute from all found leaves when a recursive search is done
      leafResultAttribute: "mailPrimaryAddress"

  {{- if .Values.antivirus.milter.host }}
  smtpdMilters: "inet:{{ .Values.antivirus.milter.host }}:{{ .Values.antivirus.milter.port }}"
  {{- else }}
  {{- if .Values.apps.clamavDistributed.enabled }}
  smtpdMilters: "inet:clamav-milter:7357"
  {{- else if .Values.apps.clamavSimple.enabled }}
  smtpdMilters: "inet:clamav-simple:7357"
  {{- end }}
  {{- end }}
  virtualMailboxDomains: {{ toYaml (prepend .Values.global.additionalMailDomains (.Values.global.mailDomain | default .Values.global.domain) | uniq) | nindent 4 }}
  virtualTransport: "lmtps:dovecot:24"

podAnnotations:
  intents.otterize.com/service-name: "open-xchange-postfix"
  {{- with .Values.annotations.openxchangePostfix.pod }}
  {{ . | toYaml | nindent 2 }}
  {{- end }}

replicaCount: {{ .Values.replicas.postfix }}

resources:
  {{ .Values.resources.postfix | toYaml | nindent 2 }}

{{- if or (eq (coalesce .Values.service.type.postfix .Values.cluster.service.type) "NodePort") (eq (coalesce .Values.service.type.postfix .Values.cluster.service.type) "LoadBalancer") }}
service:
  annotations:
    {{ .Values.annotations.openxchangePostfix.service | toYaml | nindent 4 }}
  external:
    enabled: true
    annotations:
      {{ .Values.annotations.openxchangePostfix.serviceExternal | toYaml | nindent 6 }}
    type: {{ coalesce .Values.service.type.postfix .Values.cluster.service.type | quote }}
{{- end }}
...