apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ include "rspamd.fullname" . }}
  namespace: {{ .Release.Namespace | quote }}
  labels: {{- include "rspamd.labels" . | nindent 4 }}
data:
  ratelimit.conf: |-
    rates {
      # Limit for all mail per recipient (default rate 70 per day)
      to = "{{ .Values.rspamd.rateLimits.to }}";
      # Limit for all mail per one source ip (default rate 150 per day)
      to_ip = "{{ .Values.rspamd.rateLimits.toIp }}";
      # Limit for all mail per one source ip and from address (default rate 100 per day)
      to_ip_from = "{{ .Values.rspamd.rateLimits.toIpFrom }}";
      # Limit for all bounce mail (rate 2 per hour)
      #bounce_to = "2 / 1h";
      # Limit for bounce mail per one source ip (rate 1 per hour)
      #bounce_to_ip = "1 / 1h";
      # Limit for all mail per authenticated user (default rate 100 per day)
      user = "{{ .Values.rspamd.rateLimits.user }}";
    }
    whitelisted_rcpts = "{{ .Values.rspamd.rateLimits.whitelisted.rcpts }}";
    whitelisted_ip = "/etc/rspamd/local.d/ratelimit_whitelist.map";
    max_rcpt = {{ .Values.rspamd.rateLimits.maxRcpt }};
  ratelimit_whitelist.map: |-
    {{- range .Values.rspamd.rateLimits.whitelisted.ips }}
      {{ . }}
    {{- end }}
  redis.conf: |-
    servers = "{{ printf "%s-%s" .Release.Name "redis-master" | trunc 63 | trimSuffix "-" }}";
    db = "3";
    password = "{{ .Values.redis.auth.password }}";
  worker-proxy.inc: |-
    milter = {{ .Values.rspamd.workerProxy.milter }}; 
    bind_socket = "*:{{ .Values.service.ports.milter }}";
    timeout = {{ .Values.rspamd.workerProxy.timeout }};
    upstream "local" {
      default = yes; # Self-scan upstreams are always default
      self_scan = yes; # Enable self-scan
    }
    count = {{ .Values.rspamd.workerProxy.count }}; # Spawn more processes in self-scan mode
    max_retries = {{ .Values.rspamd.workerProxy.maxRetries }}; # How many times master is queried in case of failure
    discard_on_reject = {{ .Values.rspamd.workerProxy.discardOnReject }}; # Discard message instead of rejection
    quarantine_on_reject = {{ .Values.rspamd.workerProxy.quarantineOnReject }}; # Tell MTA to quarantine rejected messages
    spam_header = "{{ .Values.rspamd.workerProxy.spamHeader }}"; # Use the specific spam header
    reject_message = "{{ .Values.rspamd.workerProxy.rejectMessage }}"; # Use custom rejection message
  worker-normal.inc: |-
    {{ if eq .Values.rspamd.workerProxy.milter "yes" -}}
    # Disable worker-normal in Milter mode
    worker "normal" {
      enabled = false;
    }
    {{- end }}
  worker-controller.inc: |-
    secure_ip = "127.0.0.1";
    password = "{{ .Values.rspamd.password }}";
    enable_password = "{{ .Values.rspamd.password }}";