DOCKERMAILSERVER-LXC/stack/docker-compose.yml

# ============================================================================
#  docker-mailserver Stack
#    mailserver   – Postfix/Dovecot/Rspamd (docker-mailserver)
#    admin-api    – Node.js API (Supabase-Auth) verwaltet DMS-Config-Dateien
#    admin-ui     – React-Admin Oberfläche (nginx, proxyt /api -> admin-api)
#    snappymail   – schlankes Webmail für die Mitarbeiter
#
#  TLS/HTTPS für admin-ui & snappymail macht der Nginx Proxy Manager
#  (separater Stack), der auf ADMIN_PORT / WEBMAIL_PORT dieses Hosts zeigt.
# ============================================================================
services:
  mailserver:
    image: ghcr.io/docker-mailserver/docker-mailserver:${DMS_TAG:-latest}
    container_name: mailserver
    hostname: ${MAIL_FQDN}
    env_file: mailserver.env
    environment:
      - OVERRIDE_HOSTNAME=${MAIL_FQDN}
      - POSTMASTER_ADDRESS=postmaster@${MAIL_DOMAIN}
    ports:
      - "25:25"      # SMTP (eingehender MX-Verkehr)
      - "143:143"    # IMAP (STARTTLS)
      - "465:465"    # SMTP Submission (implicit TLS)
      - "587:587"    # SMTP Submission (STARTTLS)
      - "993:993"    # IMAP (implicit TLS)
      - "${RSPAMD_PORT:-11334}:11334"  # Rspamd Web-UI — NUR über NPM/Firewall öffnen!
    volumes:
      - ./docker-data/dms/mail-data/:/var/mail/
      - ./docker-data/dms/mail-state/:/var/mail-state/
      - ./docker-data/dms/mail-logs/:/var/log/mail/
      - ./docker-data/dms/config/:/tmp/docker-mailserver/
      - ./docker-data/certs/:/etc/letsencrypt/:ro   # Zertifikate (NPM DNS-Challenge)
      - /etc/localtime:/etc/localtime:ro
    restart: always
    stop_grace_period: 1m
    cap_add:
      - NET_ADMIN    # für Fail2ban
    healthcheck:
      test: "ss --listening --tcp | grep -P 'LISTEN.+:smtp' || exit 1"
      timeout: 3s
      retries: 0

  # docker-socket-proxy: gibt der Admin-API NUR exec frei (kein create/delete/...)
  socket-proxy:
    image: tecnativa/docker-socket-proxy:latest
    container_name: dms-socket-proxy
    restart: always
    security_opt:
      - no-new-privileges:true
    environment:
      - CONTAINERS=1
      - EXEC=1
      - POST=1
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro

  admin-api:
    build: ./api
    container_name: dms-admin-api
    restart: always
    security_opt:
      - no-new-privileges:true
    environment:
      - CONFIG_DIR=/config
      - MAIL_DOMAIN=${MAIL_DOMAIN}
      - MAIL_DOMAINS=${MAIL_DOMAINS}
      - MAIL_FQDN=${MAIL_FQDN}
      - BRAND=${BRAND}
      - WEBMAIL_FQDN=${WEBMAIL_FQDN}
      - ADMIN_FQDN=${ADMIN_FQDN}
      - SUPABASE_URL=${SUPABASE_URL}
      - SUPABASE_ANON_KEY=${SUPABASE_ANON_KEY}
      - ADMIN_ALLOWED_EMAILS=${ADMIN_ALLOWED_EMAILS}
      # Bridge zum Mailserver: nur exec über den socket-proxy, Whitelist in der API
      - DOCKER_PROXY=socket-proxy:2375
      - MAILSERVER_CONTAINER=mailserver
    depends_on:
      - socket-proxy
    volumes:
      # Schreibzugriff auf die DMS-Config-Dateien (kein direkter Docker-Socket!)
      - ./docker-data/dms/config/:/config/
    expose:
      - "3000"

  admin-ui:
    build:
      context: ./admin
      args:
        # Werden zur Laufzeit via /config.js injiziert (siehe entrypoint)
        - VITE_SUPABASE_URL=${SUPABASE_URL}
        - VITE_SUPABASE_ANON_KEY=${SUPABASE_ANON_KEY}
    container_name: dms-admin-ui
    restart: always
    security_opt:
      - no-new-privileges:true
    depends_on:
      - admin-api
    environment:
      - SUPABASE_URL=${SUPABASE_URL}
      - SUPABASE_ANON_KEY=${SUPABASE_ANON_KEY}
    ports:
      - "${ADMIN_PORT:-8080}:80"

  snappymail:
    image: djmaze/snappymail:latest
    container_name: snappymail
    restart: always
    security_opt:
      - no-new-privileges:true
    ports:
      - "${WEBMAIL_PORT:-8888}:8888"
    volumes:
      - ./docker-data/snappymail/:/var/lib/snappymail/   # echter Datenpfad der djmaze-Image
      - ./snappymail-theme/:/snappymail/themes/:ro       # KGVA "Shibui"-Theme