services:

  wireguard:
    image: lscr.io/linuxserver/wireguard:latest
    hostname: ${HOSTNAME}
    cap_add:
      - NET_ADMIN
    environment:
      - TZ=America/Edmonton
    volumes:
      - ./wireguard.conf:/config/wg_confs/wg0.conf
    restart: always
    sysctls:
      - net.ipv4.ip_forward=1


  mailserver:
    image: ghcr.io/docker-mailserver/docker-mailserver:latest
    network_mode: service:wireguard
    volumes:
      - ./data/dms/mail-data/:/var/mail/
      - ./data/dms/mail-state/:/var/mail-state/
      - ./data/dms/mail-logs/:/var/log/mail/
      - ./data/dms/config/:/tmp/docker-mailserver/
      - /etc/localtime:/etc/localtime:ro

      # Enable ingestion from S3 
      #- ./s3-ingest.py:/usr/local/bin/s3-ingest:ro
      #- ./cron/s3:/etc/cron.d/s3:ro

      # Enable full text searching 
      # https://docker-mailserver.github.io/docker-mailserver/latest/config/advanced/full-text-search/
      - ./fts-xapian-plugin.conf:/etc/dovecot/conf.d/10-plugin.conf:ro
      - ./cron/fts_xapian:/etc/cron.d/fts_xapian:ro
        
      # when initializing, these need to be commented out because they don't exist.
      # until Caddy has had a chance to fetch them.
      - ./data/caddy/certificates/acme.zerossl.com-v2-dv90/${HOSTNAME}/${HOSTNAME}.crt:/etc/letsencrypt/live/${HOSTNAME}/fullchain.pem:ro
      - ./data/caddy/certificates/acme.zerossl.com-v2-dv90/${HOSTNAME}/${HOSTNAME}.key:/etc/letsencrypt/live/${HOSTNAME}/privkey.pem:ro
    environment:
      - ENABLE_RSPAMD=1
      - ENABLE_OPENDMARC=0
      - ENABLE_POLICYD_SPF=0
      - ENABLE_FAIL2BAN=1
      - ENABLE_POSTGREY=1
      - ENABLE_DNSBL=1
      - ENABLE_CLAMAV=1
      - ENABLE_POP3=1

      # We'll leverage certs from Caddy here
      - SSL_TYPE=letsencrypt

      # Assume we can't send outbound mail.  Relay sent mail through
      # something like Mailgun or Amazon SES
      - RELAY_HOST=${RELAY_HOST}
      - RELAY_PORT=${RELAY_PORT}
      - RELAY_USER=${RELAY_USER}
      - RELAY_PASSWORD=${RELAY_PASSWORD}
    cap_add:
      - NET_ADMIN # For Fail2Ban to work
    restart: always

  # ========= WEBMAIL =========================================
  # Who doesn't want webmail.  Besides we can piggy back on this
  # to fetch TLS certificates for our IMAP/SMTP services.

  caddy:
    image: caddy:latest
    restart: always
    network_mode: service:wireguard
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile    # Mount Caddyfile for configuration
      - ./data/caddy:/data/caddy            # Persistent storage for certificates

  roundcube:
    image: roundcube/roundcubemail:latest
    container_name: roundcubemail
    restart: always
    volumes:
      - ./data/roundcube/www:/var/www/html
      - ./data/roundcube/db:/var/roundcube/db
    environment:
      - ROUNDCUBEMAIL_DB_TYPE=sqlite
      - ROUNDCUBEMAIL_SKIN=elastic
      - ROUNDCUBEMAIL_DEFAULT_HOST=tls://${HOSTNAME}
      - ROUNDCUBEMAIL_SMTP_SERVER=tls://${HOSTNAME}