# {{ ansible_managed }}

# Docker Compose to create certificate for mail domain
# Do not run this and mailserver at same time (Uses the same VPN config and hostname)
# TODO: Would be nice at some point to be able to use a different port exposed on mail.{{ domain_name }} for privacy aside from the default port 80. Could not get it working though, certbot has issues even when proxying from one port to port 80. Seems to be an issue with Gluetun and Certbot being only able to bind to ipv6 port 80.

# WE ARE NOW HANDLING SSL CERTIFICATE RENWEAL ON PROXY, USE PROVIDED SCRIPT IN DIR TO COPY CERTS FROM PROXY TO HERE

services:
  # Gluetun is used to connect container to VPN
  certbot-gluetun:
    image: qmcgaw/gluetun
    cap_add:
      - NET_ADMIN
    environment:
      - VPN_SERVICE_PROVIDER=custom
      - VPN_TYPE=wireguard
      - VPN_ENDPOINT_IP={{ proxy_server_ip }}
      - VPN_ENDPOINT_PORT={{ proxy_server_vpn_port }}
      - WIREGUARD_PUBLIC_KEY={{ vpn_server_pubkey }}
      - WIREGUARD_PRIVATE_KEY={{ mail_service_privkey }}
      - WIREGUARD_ADDRESSES=10.0.0.2/32
      - FIREWALL_VPN_INPUT_PORTS=80,443
    ports:
      - "80:80" # HTTP
  certbot:
    image: certbot/certbot
    network_mode: "service:certbot-gluetun"
    volumes:
      - ./data/certbot/certs:/etc/letsencrypt
      - ./data/certbot/logs:/var/log/letsencrypt
      - /etc/localtime:/etc/localtime:ro
    entrypoint: sh -c "sleep 15 && certbot certonly --standalone -d *.{{ domain_name }} --noninteractive --agree-tos --email alerts@{{ domain_name }} --no-eff-email"