services:
  roundcube:
    image: roundcube/roundcubemail:latest-nonroot
    restart: always
    volumes:
      - {{ mail_base }}/volumes/data/roundcube/db:/var/roundcube/db
      - {{ mail_base }}/volumes/data/roundcube/config:/var/roundcube/config
    environment:
      - ROUNDCUBEMAIL_DB_TYPE=sqlite
      - ROUNDCUBEMAIL_SKIN=elastic
      - ROUNDCUBEMAIL_PLUGINS={{ roundcube_plugins }}
      - ROUNDCUBEMAIL_DEFAULT_HOST={{ roundcube_default_host }}
      - ROUNDCUBEMAIL_DEFAULT_PORT={{ roundcube_default_port }}
      - ROUNDCUBEMAIL_SMTP_SERVER={{ roundcube_smtp_host }}
      - ROUNDCUBEMAIL_SMTP_PORT={{ roundcube_smtp_port }}
    networks:
      - proxy
      - roundcube
    deploy:
      mode: replicated
      replicas: 1
      labels:
        - traefik.enable=true
        - traefik.swarm.network=proxy
        - traefik.http.routers.mail.tls=true
        - traefik.http.routers.mail.tls.certResolver=letsencrypt
        - traefik.http.routers.mail.rule=Host(`{{ mail_domain }}`)
        - traefik.http.routers.mail.entrypoints=websecure
        - traefik.http.services.mail.loadbalancer.server.port=8000

  mailserver:
    image: ghcr.io/docker-mailserver/docker-mailserver:latest
    hostname: {{ mail_domain }}
{% if homelab_build %}
    command: 
      - /bin/sh
      - -c
      - |
        [ ! -f "/etc/letsencrypt/live/{{ mail_domain }}" ] && sleep 60 # Sleep until certificate requested from traefik
        supervisord -c /etc/supervisor/supervisord.conf
    healthcheck:
      disable: true
{% endif %}
    deploy:
      mode: replicated
      replicas: 1
      labels:
        - traefik.enable=true
        - traefik.swarm.network=proxy
        # ManageSieve
        - traefik.tcp.routers.sieve.tls.passthrough=true
        - traefik.tcp.routers.sieve.rule=HostSNI(`*`)
        - traefik.tcp.routers.sieve.entrypoints=sieve
        - traefik.tcp.routers.sieve.service=sieve
        - traefik.tcp.services.sieve.loadbalancer.server.port=4190
        # IMAP
        - traefik.tcp.routers.imap.tls.passthrough=true
        - traefik.tcp.routers.imap.rule=HostSNI(`*`)
        - traefik.tcp.routers.imap.entrypoints=imap
        - traefik.tcp.routers.imap.service=imap
        - traefik.tcp.services.imap.loadbalancer.server.port=993
        # SMTPS
        - traefik.tcp.routers.smtps.tls.passthrough=true
        - traefik.tcp.routers.smtps.rule=HostSNI(`*`)
        - traefik.tcp.routers.smtps.entrypoints=smtp
        - traefik.tcp.routers.smtps.service=smtp
        - traefik.tcp.services.smtps.loadbalancer.server.port=465
        # SMTP (StartTLS)
        - traefik.tcp.routers.smtptls.tls.passthrough=true
        - traefik.tcp.routers.smtptls.rule=HostSNI(`*`)
        - traefik.tcp.routers.smtptls.entrypoints=smtptls
        - traefik.tcp.routers.smtptls.service=smtptls
        - traefik.tcp.services.smtptls.loadbalancer.server.port=587
        # SMTP ("ye' old")
        - traefik.tcp.routers.smtp.tls.passthrough=true
        - traefik.tcp.routers.smtp.rule=HostSNI(`*`)
        - traefik.tcp.routers.smtp.entrypoints=smtp
        - traefik.tcp.routers.smtp.service=smtp
        - traefik.tcp.services.smtp.loadbalancer.server.port=25
    volumes:
      - {{ mail_base }}/volumes/data/dms/vmail:/var/mail/
      - {{ mail_base }}/volumes/data/dms/mail-state:/var/mail-state/
      - {{ mail_base }}/volumes/data/dms/mail-logs:/var/log/mail/
      - {{ mail_base }}/volumes/data/dms/config:/tmp/docker-mailserver/
      - {{ mail_base }}/volumes/data/dms/config/dovecot-ldap.conf:/etc/dovecot/dovecot-ldap.conf.ext
      - {{ letsencrypt_certs }}:/certs/:ro
      - /etc/localtime:/etc/localtime:ro
    environment:
      - SSL_TYPE=manual
      - SSL_CERT_PATH=/certs/{{ mail_domain }}.pem
      - SSL_KEY_PATH=/certs/{{ mail_domain }}.key
      - ENABLE_CLAMAV=0
      - ENABLE_AMAVIS=0
      - ENABLE_FAIL2BAN=1
      - ENABLE_SASLAUTHD=1
      - ENABLE_MANAGESIEVE=1
      - ENABLE_POSTGREY=0

      - SPOOF_PROTECTION=1
      - ACCOUNT_PROVISIONER=LDAP
      - LDAP_SERVER_HOST={{ ldap_server_host }}
      - LDAP_SEARCH_BASE={{ ldap_search_base }}
      - LDAP_BIND_DN={{ ldap_bind_dn }}
      - LDAP_BIND_PW={{ email_ldap_api_token }}

      - LDAP_QUERY_FILTER_USER={{ ldap_query_filter_user }}
      - LDAP_QUERY_FILTER_GROUP={{ ldap_query_filter_group }}
      - LDAP_QUERY_FILTER_ALIAS={{ ldap_query_filter_alias }}
      - LDAP_QUERY_FILTER_DOMAIN={{ ldap_query_filter_domain }}
      - LDAP_QUERY_FILTER_SENDERS={{ ldap_query_filter_senders }}

      - POSTMASTER_ADDRESS={{ postmaster_email }}

      - SASLAUTHD_MECHANISMS=ldap
      - SASLAUTHD_LDAP_FILTER={{ sasl_ldap_filter }} 

      - ENABLE_OAUTH2=1
      - OAUTH2_INTROSPECTION_URL={{ roundcube_oauth2_user_uri }}

      - DEFAULT_RELAY_HOST={{ default_relay_host }}
      - RELAY_USER={{ relay_user }}
      - RELAY_PASSWORD={{ relay_password }}

    networks:
      - mailserver
      - proxy

networks:
  mailserver:
  roundcube:
  proxy:
    external: true