services:
  roundcube:
    image: roundcube/roundcubemail:latest
    volumes:
      - "{{ mail_base }}/volumes/data/roundcube/db:/var/roundcube/db"
      - "{{ mail_base }}/volumes/data/roundcube/config:/var/roundcube/config/"
    environment:
      - DEPLOYMENT_TIME={{ deployment_time }}
      - ROUNDCUBEMAIL_DB_TYPE=sqlite
      - ROUNDCUBEMAIL_SKIN={{ roundcube_skin | default('elastic') }}
      - ROUNDCUBEMAIL_PLUGINS={{ roundcube_plugins }}
      - ROUNDCUBEMAIL_COMPOSER_PLUGINS={{ roundcube_composer_plugins }}
      - ROUNDCUBEMAIL_DEFAULT_HOST={{ roundcube_default_host }}
      - ROUNDCUBEMAIL_DEFAULT_PORT={{ roundcube_default_port }}
      - ROUNDCUBEMAIL_SMTP_SERVER={{ roundcube_smtp_host }}
      - ROUNDCUBEMAIL_SMTP_PORT={{ roundcube_smtp_port }}
    networks:
      - proxy
      - roundcube
    healthcheck:
      test: ["CMD", "curl", "--fail", "http://localhost:80"]
      timeout: 3s
      interval: 30s
      retries: 2
    deploy:
      mode: replicated
      replicas: 1
      labels:
        - traefik.enable=true
        - traefik.swarm.network=proxy
        - traefik.http.routers.mail.tls=true
        - traefik.http.routers.mail.tls.certResolver=letsencrypt
        - traefik.http.routers.mail.rule=Host(`{{ mail_domain }}`)
        - traefik.http.routers.mail.entrypoints=websecure
        - traefik.http.services.mail.loadbalancer.server.port=80

  mailserver:
    image: ghcr.io/docker-mailserver/docker-mailserver:latest
    hostname: "{{ mail_domain }}"
{% if homelab_build %}
    command:
      - /scripts/wait-for-cert.sh
    healthcheck:
      disable: true
{% else %}
    healthcheck:
      test: ["CMD-SHELL", "ss --listening --tcp | grep -P :smtp"]
      interval: 3s
      timeout: 2s
      retries: 3
{% endif %}
    ports:
      - '25:25'
      - '587:587'
      - '465:465'
      - '143:143'
      - '993:993'
      - '4190:4190'
      - '110:110'
      - '995:995'
    deploy:
      mode: replicated
      replicas: 1
      update_config:
        parallelism: 1
        failure_action: rollback
        order: start-first
    volumes:
      - {{ mail_base }}/volumes/scripts/:/scripts/
      - {{ mail_base }}/volumes/data/dms/vmail/:/var/mail/
      - {{ mail_base }}/volumes/data/dms/mail-state/{{ deployment_time }}/:/var/mail-state/
      - {{ mail_base }}/volumes/data/dms/mail-logs/:/var/log/mail/
      - {{ mail_base }}/volumes/data/dms/config/:/tmp/docker-mailserver/
      - {{ mail_base }}/volumes/data/dms/config/dovecot-ldap.conf:/etc/dovecot/dovecot-ldap.conf.ext
      - {{ letsencrypt_certs }}:/certs/:ro
      - /etc/localtime:/etc/localtime:ro
    environment:
      - DEPLOYMENT_TIME={{ deployment_time }}
      - SSL_TYPE=manual
      - SSL_CERT_PATH=/certs/{{ mail_domain }}.pem
      - SSL_KEY_PATH=/certs/{{ mail_domain }}.key
      - ENABLE_CLAMAV=0
      - ENABLE_AMAVIS=0
      - ENABLE_SASLAUTHD=1
      - ENABLE_MANAGESIEVE=1
      - ENABLE_POSTGREY=0
      - ENABLE_FAIL2BAN=1

      - SPOOF_PROTECTION=1
      - ACCOUNT_PROVISIONER=LDAP
      - LDAP_SERVER_HOST={{ ldap_server_host }}
      - LDAP_SEARCH_BASE={{ ldap_search_base }}
      - LDAP_BIND_DN={{ ldap_bind_dn }}
      - LDAP_BIND_PW={{ email_ldap_api_token }}

      - LDAP_QUERY_FILTER_USER={{ ldap_query_filter_user }}
      - LDAP_QUERY_FILTER_GROUP={{ ldap_query_filter_group }}
      - LDAP_QUERY_FILTER_ALIAS={{ ldap_query_filter_alias }}
      - LDAP_QUERY_FILTER_DOMAIN={{ ldap_query_filter_domain }}
      - LDAP_QUERY_FILTER_SENDERS={{ ldap_query_filter_senders }}

      - SASLAUTHD_MECHANISMS=rimap
      - SASLAUTHD_MECH_OPTIONS=127.0.0.1

      - ENABLE_OAUTH2=1
      - OAUTH2_INTROSPECTION_URL={{ roundcube_oauth2_user_uri }}

      - DEFAULT_RELAY_HOST={{ default_relay_host }}
      - RELAY_USER={{ relay_user }}
      - RELAY_PASSWORD={{ relay_password }}

      - POSTMASTER_ADDRESS={{ postmaster_email }}

networks:
  roundcube:
  proxy:
    external: true