1 files changed, 46 insertions, 52 deletions

diff --git a/playbooks/roles/mail/templates/stacks/docker-compose.yml b/playbooks/roles/mail/templates/stacks/docker-compose.yml
index 50108c1..b4cc3e0 100644
--- a/playbooks/roles/mail/templates/stacks/docker-compose.yml
+++ b/playbooks/roles/mail/templates/stacks/docker-compose.yml
@@ -4,11 +4,13 @@ services:
     restart: always
     volumes:
       - {{ mail_base }}/volumes/data/roundcube/db:/var/roundcube/db
-      - {{ mail_base }}/volumes/data/roundcube/config:/var/roundcube/config
+      - {{ mail_base }}/volumes/data/roundcube/config:/var/roundcube/config/
     environment:
+      - DEPLOYMENT_TIME={{ now() }}
       - ROUNDCUBEMAIL_DB_TYPE=sqlite
-      - ROUNDCUBEMAIL_SKIN=elastic
+      - ROUNDCUBEMAIL_SKIN={{ roundcube_skin | default('elastic') }}
       - ROUNDCUBEMAIL_PLUGINS={{ roundcube_plugins }}
+      - ROUNDCUBEMAIL_COMPOSER_PLUGINS={{ roundcube_composer_plugins }}
       - ROUNDCUBEMAIL_DEFAULT_HOST={{ roundcube_default_host }}
       - ROUNDCUBEMAIL_DEFAULT_PORT={{ roundcube_default_port }}
       - ROUNDCUBEMAIL_SMTP_SERVER={{ roundcube_smtp_host }}
@@ -16,6 +18,11 @@ services:
     networks:
       - proxy
       - roundcube
+    healthcheck:
+      test: ["CMD", "curl", "--fail", "http://localhost:8000"]
+      timeout: 3s
+      interval: 30s
+      retries: 2
     deploy:
       mode: replicated
       replicas: 1
@@ -31,70 +38,62 @@ services:
   mailserver:
     image: ghcr.io/docker-mailserver/docker-mailserver:latest
     hostname: {{ mail_domain }}
+    command:
+      - /scripts/wait-for-cert.sh
 {% if homelab_build %}
-    command: 
-      - /bin/sh
-      - -c
-      - |
-        [ ! -f "/etc/letsencrypt/live/{{ mail_domain }}" ] && sleep 60 # Sleep until certificate requested from traefik
-        supervisord -c /etc/supervisor/supervisord.conf
     healthcheck:
       disable: true
+{% else %}
+    healthcheck:
+      test: ["CMD-SHELL", "ss --listening --tcp | grep -P :smtp"]
+      interval: 3s
+      timeout: 2s
+      retries: 3
 {% endif %}
+    ports:
+      - '25:25'
+      - '587:587'
+      - '465:465'
+      - '143:143'
+      - '993:993'
+      - '4190:4190'
+      - '110:110'
+      - '995:995'
+    stop_grace_period: 30s
     deploy:
       mode: replicated
       replicas: 1
-      labels:
-        - traefik.enable=true
-        - traefik.swarm.network=proxy
-        # ManageSieve
-        - traefik.tcp.routers.sieve.tls.passthrough=true
-        - traefik.tcp.routers.sieve.rule=HostSNI(`*`)
-        - traefik.tcp.routers.sieve.entrypoints=sieve
-        - traefik.tcp.routers.sieve.service=sieve
-        - traefik.tcp.services.sieve.loadbalancer.server.port=4190
-        # IMAP
-        - traefik.tcp.routers.imap.tls.passthrough=true
-        - traefik.tcp.routers.imap.rule=HostSNI(`*`)
-        - traefik.tcp.routers.imap.entrypoints=imap
-        - traefik.tcp.routers.imap.service=imap
-        - traefik.tcp.services.imap.loadbalancer.server.port=993
-        # SMTPS
-        - traefik.tcp.routers.smtps.tls.passthrough=true
-        - traefik.tcp.routers.smtps.rule=HostSNI(`*`)
-        - traefik.tcp.routers.smtps.entrypoints=smtps
-        - traefik.tcp.routers.smtps.service=smtps
-        - traefik.tcp.services.smtps.loadbalancer.server.port=465
-        # SMTP (StartTLS)
-        - traefik.tcp.routers.smtptls.tls.passthrough=true
-        - traefik.tcp.routers.smtptls.rule=HostSNI(`*`)
-        - traefik.tcp.routers.smtptls.entrypoints=smtptls
-        - traefik.tcp.routers.smtptls.service=smtptls
-        - traefik.tcp.services.smtptls.loadbalancer.server.port=587
-        # SMTP ("ye' old")
-        - traefik.tcp.routers.smtp.tls.passthrough=true
-        - traefik.tcp.routers.smtp.rule=HostSNI(`*`)
-        - traefik.tcp.routers.smtp.entrypoints=smtp
-        - traefik.tcp.routers.smtp.service=smtp
-        - traefik.tcp.services.smtp.loadbalancer.server.port=25
+      update_config:
+        parallelism: 1
+        failure_action: rollback
+        # order: start-first
+        # We need to stop the old container first because it holds a lock on the
+        # Postfix mail queue. I don't believe there is a feasible way to solve
+        # this without either a tiny bit of downtime waiting for the lock to clear,
+        # or lost mail since we'd have to ignore the lock and thus two competing mailservers
+        # are accepting mail. 
+        # One of these is more acceptable than the other haha. 
+        # See stuff in scripts/ for the last attempt if interested.
+        order: stop-first
     volumes:
-      - {{ mail_base }}/volumes/data/dms/vmail:/var/mail/
-      - {{ mail_base }}/volumes/data/dms/mail-state:/var/mail-state/
-      - {{ mail_base }}/volumes/data/dms/mail-logs:/var/log/mail/
-      - {{ mail_base }}/volumes/data/dms/config:/tmp/docker-mailserver/
+      - {{ mail_base }}/volumes/scripts/:/scripts/
+      - {{ mail_base }}/volumes/data/dms/vmail/:/var/mail/
+      - {{ mail_base }}/volumes/data/dms/mail-state/:/var/mail-state/
+      - {{ mail_base }}/volumes/data/dms/mail-logs/:/var/log/mail/
+      - {{ mail_base }}/volumes/data/dms/config/:/tmp/docker-mailserver/
       - {{ mail_base }}/volumes/data/dms/config/dovecot-ldap.conf:/etc/dovecot/dovecot-ldap.conf.ext
       - {{ letsencrypt_certs }}:/certs/:ro
       - /etc/localtime:/etc/localtime:ro
     environment:
+      - DEPLOYMENT_TIME={{ now() }}
       - SSL_TYPE=manual
       - SSL_CERT_PATH=/certs/{{ mail_domain }}.pem
       - SSL_KEY_PATH=/certs/{{ mail_domain }}.key
       - ENABLE_CLAMAV=0
       - ENABLE_AMAVIS=0
-      - ENABLE_FAIL2BAN=1
       - ENABLE_SASLAUTHD=1
       - ENABLE_MANAGESIEVE=1
-      - ENABLE_POSTGREY=0
+      - ENABLE_POSTGREY=1
 
       - SPOOF_PROTECTION=1
       - ACCOUNT_PROVISIONER=LDAP
@@ -121,12 +120,7 @@ services:
       - RELAY_USER={{ relay_user }}
       - RELAY_PASSWORD={{ relay_password }}
 
-    networks:
-      - mailserver
-      - proxy
-
 networks:
-  mailserver:
   roundcube:
   proxy:
     external: true