diff --git a/share/wildduck/index.yaml b/share/wildduck/index.yaml
index d1670b2..52fdcba 100644
--- a/share/wildduck/index.yaml
+++ b/share/wildduck/index.yaml
@@ -6,6 +6,56 @@ metadata:
   name: wildduck
   description: null
 options:
+  additional-domains:
+    default: []
+    items:
+      type: string
+    type: array
+  backups:
+    default:
+      enable: false
+      endpoint: ''
+      key-id-key: s3-id
+      secret-key: s3-secret
+      secret-name: backup-settings
+    examples:
+    - enable: false
+      endpoint: ''
+      key-id-key: s3-id
+      secret-key: s3-secret
+      secret-name: backup-settings
+    properties:
+      enable:
+        default: false
+        type: boolean
+      endpoint:
+        default: ''
+        type: string
+      key-id-key:
+        default: s3-id
+        type: string
+      secret-key:
+        default: s3-secret
+        type: string
+      secret-name:
+        default: backup-settings
+        type: string
+    type: object
+  sub-domain:
+    default: mail
+    examples:
+    - mail
+    type: string
+  ingress-class:
+    default: traefik
+    examples:
+    - traefik
+    type: string
+  domain:
+    default: your-company
+    examples:
+    - your-company
+    type: string
   redis:
     default:
       exporter:
@@ -39,11 +89,6 @@ options:
         default: 2Gi
         type: string
     type: object
-  ingress-class:
-    default: traefik
-    examples:
-    - traefik
-    type: string
   images:
     default:
       haraka:
@@ -207,56 +252,11 @@ options:
             type: string
         type: object
     type: object
-  backups:
-    default:
-      enable: false
-      endpoint: ''
-      key-id-key: s3-id
-      secret-key: s3-secret
-      secret-name: backup-settings
-    examples:
-    - enable: false
-      endpoint: ''
-      key-id-key: s3-id
-      secret-key: s3-secret
-      secret-name: backup-settings
-    properties:
-      enable:
-        default: false
-        type: boolean
-      endpoint:
-        default: ''
-        type: string
-      key-id-key:
-        default: s3-id
-        type: string
-      secret-key:
-        default: s3-secret
-        type: string
-      secret-name:
-        default: backup-settings
-        type: string
-    type: object
   issuer:
     default: letsencrypt-prod
     examples:
     - letsencrypt-prod
     type: string
-  sub-domain:
-    default: mail
-    examples:
-    - mail
-    type: string
-  domain:
-    default: your-company
-    examples:
-    - your-company
-    type: string
-  additional-domains:
-    default: []
-    items:
-      type: string
-    type: array
   domain-name:
     default: your_company.com
     examples:
diff --git a/share/wildduck/wildduck.tf b/share/wildduck/wildduck.tf
index 997a6ab..807d552 100644
--- a/share/wildduck/wildduck.tf
+++ b/share/wildduck/wildduck.tf
@@ -71,6 +71,9 @@ resource "kubectl_manifest" "wildduck_deploy" {
             - name: configmap
               mountPath: /wildduck/config/api.toml
               subPath: api.toml
+            - name: configmap
+              mountPath: /wildduck/config/dbs.toml
+              subPath: dbs.toml
             - name: configmap
               mountPath: /wildduck/config/dkim.toml
               subPath: dkim.toml
@@ -103,30 +106,52 @@ resource "kubectl_manifest" "wildduck_config" {
       labels: ${jsonencode(local.wildduck-labels)}
     data:
       default.toml: |-
+        # Uncomment if you start the app as root and want to downgrade
+        # once all privileged actions are completed
+        # If you do not use privileged ports then you can start the app already under required user account
+        #user="wildduck"
+        #group="wildduck"
+        # process title
         ident="wildduck"
+        # how many processes to start
         processes=1
+        # default quota storage in MB (can be overriden per user)
         maxStorage=1024
+        # default smtp recipients for 24h (can be overriden per user)
         maxRecipients=2000
+        # default forwarded messages for 24h (can be overriden per user)
         maxForwards=2000
+        # If usernames are not email addresses then use this domain as hostname part
         #emailDomain="mydomain.info"
         [dbs]
-            mongo="mongodb://${var.component}:${local.mongo-password}@${var.instance}-${var.component}-mongo-svc.${var.namespace}.svc:27017/${var.component}"
-            redis="redis://${var.instance}-${var.component}-redis.${var.namespace}.svc:6379/3"
-            sender="wildduck"
+        # @include "dbs.toml"
         [totp]
+            # If enabled then encrypt TOTP seed tokens with the secret password. By default TOTP seeds
+            # are not encrypted and stored as cleartext. Once set up do not change these values,
+            # otherwise decrypting totp seeds is going to fail
             cipher="aes192"
             secret="${local.secrets.totp}"
         [u2f]
             # Fully qualified URL of your website (must use HTTPS!)
-            appId="https://${var.sub-domain}.${var.domain-name}"
+            appId="https://localhost:3000"
         [attachments]
         # @include "attachments.toml"
         [log]
             level="debug"
-            skipFetchLog=true
+            skipFetchLog=false # if true, then does not output individual * FETCH responses to log
+            # delete authentication log entries after 30 days
+            # changing this value only affects new entries
+            # set to false to not log authentication events
+            # set to 0 to keep the logs infinitely
             authlogExpireDays=30
             [log.gelf]
                 enabled=false
+                hostname=false # defaults to os.hostname()
+                component="wildduck"
+                [log.gelf.options]
+                    graylogPort=12201
+                    graylogHostname="127.0.0.1"
+                    connection="lan"
         [imap]
         # @include "imap.toml"
         [tls]
@@ -202,6 +227,32 @@ resource "kubectl_manifest" "wildduck_config" {
         #cert="/path/to/server/cert.pem"
         [cors]
         origins = ["*"]
+      dbs.toml: |-
+        # mongodb connection string for the main database
+        mongo="mongodb://${var.component}:${local.mongo-password}@${var.instance}-${var.component}-mongo-svc.${var.namespace}.svc:27017/${var.component}"
+        # redis connection string to connect to a single master (see below for Sentinel example)
+        redis="redis://${var.instance}-${var.component}-redis.${var.namespace}.svc:6379/3"
+        # WildDuck allows using different kind of data in different databases
+        # If you do not provide a database config value, then main database connection
+        # is used for everything
+        # You can either use a database name (uses shared connection) or a configutaion
+        # url (creates a separate connection) for each databases
+
+        # Optional database name or connection url for GridFS if you do not want to
+        # use the main db for storing attachments. Useful if you want
+        # to use a different mount folder or storage engine
+        #gridfs="wildduck"
+
+        # Optional database name or connection url for users collection if you do not want to
+        # use the main db for storing user/address data. Useful if you want
+        # to use a different mount folder or storage engine
+        #users="wildduck"
+
+        # Optional database name or connection url for ZoneMTA queue database. This is
+        # used to push outbound emails to the sending queue
+        sender="${var.component}"
+
+        #queued="mail"
       dkim.toml: |-
         # If enabled then encrypt DKIM keys with the secret password. By default DKIM keys
         # are not encrypted and stored as cleartext. Once set up do not change these values,