version: '3.7'

services:
  mail-app:
    image: mlan/kopano:8.7.80-3.5.2
    restart: unless-stopped
    networks:
      - proxy
      - backend
    labels:
      - traefik.enable=true
      - traefik.frontend.rule=Host:mail.${DOMAIN-docker.localhost}
      - traefik.docker.network=${COMPOSE_PROJECT_NAME}_proxy
      - traefik.port=80
    depends_on:
      - auth
      - mail-db
      - mail-mta
    environment:
      - USER_PLUGIN=ldap
      - LDAP_HOST=auth
      - MYSQL_HOST=mail-db
      - SMTP_SERVER=mail-mta
      - LDAP_SEARCH_BASE=${LDAP_BASE}
      - LDAP_USER_TYPE_ATTRIBUTE_VALUE=kopano-user
      - LDAP_GROUP_TYPE_ATTRIBUTE_VALUE=kopano-group
      - LDAP_USER_SEARCH_FILTER=(kopanoAccount=1)
      - SYSLOG_LEVEL=4
    env_file:
      - .init.env
    volumes:
      - mail-conf:/etc/kopano
      - mail-atch:/var/lib/kopano/attachments
      - mail-sync:/var/lib/z-push

  mail-mta:
    image: mlan/postfix-amavis:3.8
    restart: unless-stopped
    hostname: ${MAIL_SRV-mx}.${MAIL_DOMAIN-docker.localhost}
    networks:
      - backend
    ports:
      - "25:25"
    labels:
      - traefik.enable=true
      - traefik.frontend.rule=Host:${MAIL_SRV-mx}.${MAIL_DOMAIN-docker.localhost}
      - traefik.docker.network=${COMPOSE_PROJECT_NAME}_proxy
      - traefik.port=80
    depends_on:
      - auth
    environment:
      - MESSAGE_SIZE_LIMIT=${MESSAGE_SIZE_LIMIT-25600000}
      - LDAP_HOST=auth
      - DAGENT_TRANSPORT=lmtp:mail-app:2003
      - SMTP_RELAY_HOSTAUTH=${SMTP_RELAY_HOSTAUTH}
      - SMTP_TLS_SECURITY_LEVEL=${SMTP_TLS_SECURITY_LEVEL-}
      - SMTP_TLS_WRAPPERMODE=${SMTP_TLS_WRAPPERMODE-no}
      - LDAP_USER_BASE=${LDAP_USEROU},${LDAP_BASE}
      - LDAP_GROUP_BASE=${LDAP_GROUPOU},${LDAP_BASE}
      - LDAP_QUERY_FILTER_USER=(&(kopanoAccount=1)(mail=%s))
      - LDAP_QUERY_FILTER_ALIAS=(&(kopanoAccount=1)(kopanoAliases=%s))
      - LDAP_QUERY_FILTER_GROUP=(&(objectclass=kopano-group)(mail=%s))
      - LDAP_QUERY_FILTER_EXPAND=(&(objectclass=kopano-user)(uid=%s))
      - DKIM_SELECTOR=${DKIM_SELECTOR-default}
      - SYSLOG_LEVEL=5
    env_file:
      - .init.env
    volumes:
      - mail-mta:/var
      - proxy-acme:/acme

  mail-db:
    image: mariadb
    restart: unless-stopped
    command: ['--log_warnings=1']
    networks:
      - backend
    environment:
      - LANG=C.UTF-8
    env_file:
      - .init.env
    volumes:
      - mail-db:/var/lib/mysql

  auth:
    image: mlan/openldap:1.0
    restart: unless-stopped
    networks:
      - backend
    environment:
      - LDAP_LOGLEVEL=parse
    volumes:
      - auth-conf:/srv/conf
      - auth-data:/srv/data

  proxy:
    image: traefik:alpine
    restart: unless-stopped
    command:
      - "--api"
      - "--docker"
      - "--defaultentrypoints=http,https"
      - "--entrypoints=Name:http Address::80 Redirect.EntryPoint:https"
      - "--entrypoints=Name:https Address::443 TLS"
      - "--retry"
      - "--docker.domain=${DOMAIN-docker.localhost}"
      - "--docker.exposedbydefault=false"
      - "--docker.watch=true"
      - "--acme"
      - "--acme.email=${CERTMASTER-certmaster}@${DOMAIN-docker.localhost}"
      - "--acme.entrypoint=https"
      - "--acme.onhostrule=true"
      - "--acme.storage=/acme/acme.json"
      - "--acme.httpchallenge"
      - "--acme.httpchallenge.entrypoint=http"
      - "--loglevel=ERROR"
    cap_drop:
      - all
    cap_add:
      - net_bind_service
    networks:
      - proxy
    ports:
      - "80:80"       # The HTTP port
      - "443:443"     # The HTTPS port
    labels:
      - traefik.enable=true
      - traefik.docker.network=${COMPOSE_PROJECT_NAME}_proxy
      - traefik.port=8080
      - traefik.frontend.passHostHeader=true
      - traefik.frontend.rule=Host:monitor.${DOMAIN-docker.localhost}
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - proxy-acme:/acme
      - /dev/null:/traefik.toml

networks:
  proxy:
  backend:

volumes:
  proxy-acme:
  mail-conf:
  mail-atch:
  mail-db:
  mail-mta:
  mail-sync:
  auth-conf:
  auth-data: