1 files changed, 120 insertions, 0 deletions

diff --git a/playbooks/roles/mail/templates/stacks/docker-compose.yml b/playbooks/roles/mail/templates/stacks/docker-compose.yml
new file mode 100644
index 0000000..654f264
--- /dev/null
+++ b/playbooks/roles/mail/templates/stacks/docker-compose.yml
@@ -0,0 +1,120 @@
+services:
+  roundcube:
+    image: roundcube/roundcubemail:latest-nonroot
+    restart: always
+    volumes:
+      - {{ mail_base }}/volumes/data/roundcube/db:/var/roundcube/db
+      - {{ mail_base }}/volumes/data/roundcube/config:/var/roundcube/config
+    environment:
+      - ROUNDCUBEMAIL_DB_TYPE=sqlite
+      - ROUNDCUBEMAIL_SKIN=elastic
+      - ROUNDCUBEMAIL_PLUGINS={{ roundcube_plugins }}
+      - ROUNDCUBEMAIL_DEFAULT_HOST={{ roundcube_default_host }}
+      - ROUNDCUBEMAIL_DEFAULT_PORT={{ roundcube_default_port }}
+      - ROUNDCUBEMAIL_SMTP_SERVER={{ roundcube_smtp_host }}
+      - ROUNDCUBEMAIL_SMTP_PORT={{ roundcube_smtp_port }}
+    networks:
+      - proxy
+      - roundcube
+    deploy:
+      mode: replicated
+      replicas: 1
+      labels:
+        - traefik.enable=true
+        - traefik.swarm.network=proxy
+        - traefik.http.routers.mail.tls=true
+        - traefik.http.routers.mail.tls.certResolver=letsencrypt
+        - traefik.http.routers.mail.rule=Host(`{{ mail_domain }}`)
+        - traefik.http.routers.mail.entrypoints=websecure
+        - traefik.http.services.mail.loadbalancer.server.port=8000
+
+  mailserver:
+    image: ghcr.io/docker-mailserver/docker-mailserver:latest
+    hostname: {{ mail_domain }}
+{% if homelab_build %}
+    command: 
+      - /bin/sh
+      - -c
+      - |
+        [ ! -f "/etc/letsencrypt/live/{{ mail_domain }}" ] && sleep 60 # Sleep until certificate requested from traefik
+        supervisord -c /etc/supervisor/supervisord.conf
+    healthcheck:
+      disable: true
+{% endif %}
+    deploy:
+      mode: replicated
+      replicas: 1
+      labels:
+        - traefik.enable=true
+        - traefik.swarm.network=proxy
+        # ManageSieve
+        - traefik.tcp.routers.sieve.tls.passthrough=true
+        - traefik.tcp.routers.sieve.rule=HostSNI(`*`)
+        - traefik.tcp.routers.sieve.entrypoints=sieve
+        - traefik.tcp.routers.sieve.service=sieve
+        - traefik.tcp.services.sieve.loadbalancer.server.port=4190
+        # IMAP
+        - traefik.tcp.routers.imap.tls.passthrough=true
+        - traefik.tcp.routers.imap.rule=HostSNI(`*`)
+        - traefik.tcp.routers.imap.entrypoints=imap
+        - traefik.tcp.routers.imap.service=imap
+        - traefik.tcp.services.imap.loadbalancer.server.port=993
+        # SMTP
+        - traefik.tcp.routers.smtp.tls.passthrough=true
+        - traefik.tcp.routers.smtp.rule=HostSNI(`*`)
+        - traefik.tcp.routers.smtp.entrypoints=smtp
+        - traefik.tcp.routers.smtp.service=smtp
+        - traefik.tcp.services.smtp.loadbalancer.server.port=465
+    volumes:
+      - {{ mail_base }}/volumes/data/dms/vmail:/var/mail/
+      - {{ mail_base }}/volumes/data/dms/mail-state:/var/mail-state/
+      - {{ mail_base }}/volumes/data/dms/mail-logs:/var/log/mail/
+      - {{ mail_base }}/volumes/data/dms/config:/tmp/docker-mailserver/
+      - {{ mail_base }}/volumes/data/dms/config/dovecot-ldap.conf:/etc/dovecot/dovecot-ldap.conf.ext
+      - {{ letsencrypt_certs }}:/certs/:ro
+      - /etc/localtime:/etc/localtime:ro
+    environment:
+      - SSL_TYPE=manual
+      - SSL_CERT_PATH=/certs/{{ mail_domain }}.pem
+      - SSL_KEY_PATH=/certs/{{ mail_domain }}.key
+      - ENABLE_CLAMAV=0
+      - ENABLE_AMAVIS=0
+      - ENABLE_FAIL2BAN=1
+      - ENABLE_SASLAUTHD=1
+      - ENABLE_MANAGESIEVE=1
+      - ENABLE_POSTGREY=0
+
+      - SPOOF_PROTECTION=1
+      - ACCOUNT_PROVISIONER=LDAP
+      - LDAP_SERVER_HOST={{ ldap_server_host }}
+      - LDAP_SEARCH_BASE={{ ldap_search_base }}
+      - LDAP_BIND_DN={{ ldap_bind_dn }}
+      - LDAP_BIND_PW={{ email_ldap_api_token }}
+
+      - LDAP_QUERY_FILTER_USER={{ ldap_query_filter_user }}
+      - LDAP_QUERY_FILTER_GROUP={{ ldap_query_filter_group }}
+      - LDAP_QUERY_FILTER_ALIAS={{ ldap_query_filter_alias }}
+      - LDAP_QUERY_FILTER_DOMAIN={{ ldap_query_filter_domain }}
+      - LDAP_QUERY_FILTER_SENDERS={{ ldap_query_filter_senders }}
+
+      - POSTMASTER_ADDRESS={{ postmaster_email }}
+
+      - SASLAUTHD_MECHANISMS=ldap
+      - SASLAUTHD_LDAP_FILTER={{ sasl_ldap_filter }} 
+
+      - ENABLE_OAUTH2=1
+      - OAUTH2_INTROSPECTION_URL={{ roundcube_oauth2_user_uri }}
+
+      - DEFAULT_RELAY_HOST={{ default_relay_host }}
+      - RELAY_USER={{ relay_user }}
+      - RELAY_PASSWORD={{ relay_password }}
+
+    networks:
+      - mailserver
+      - proxy
+
+networks:
+  mailserver:
+  roundcube:
+  proxy:
+    external: true