# Compose override for running mailcow behind Coolify's Traefik proxy
# Keep the base mailcow-dockerized/docker-compose.yml untouched and load this as an override.
services:
  nginx-mailcow:
    # Disable direct host bindings for 80/443 and let Traefik terminate/reroute traffic.
    ports: []
    networks:
      mailcow-network:
        aliases:
          - nginx
      traefik-proxy: {}
    environment:
      # Keep HTTP reachable for ACME HTTP-01 via Traefik; avoid forced redirect.
      HTTP_REDIRECT: ${HTTP_REDIRECT:-n}
      # Trust Coolify's proxy range so real client IPs are logged correctly.
      TRUSTED_PROXIES: ${TRUSTED_PROXIES:-172.16.0.0/12}
    labels:
      traefik.enable: "true"
      traefik.docker.network: ${TRAEFIK_NETWORK:-coolify-proxy}

      traefik.http.routers.mailcow-http.rule: Host(`mail.karmacoma.dev`)
      traefik.http.routers.mailcow-http.entrypoints: web
      traefik.http.routers.mailcow-http.service: mailcow-http
      traefik.http.middlewares.mailcow-https-redirect.redirectscheme.scheme: https
      traefik.http.routers.mailcow-http.middlewares: mailcow-https-redirect
      traefik.http.services.mailcow-http.loadbalancer.server.port: 80

      # HTTPS is passed through so mailcow can present its own certificate.
      traefik.tcp.routers.mailcow-https.rule: HostSNI(`mail.karmacoma.dev`)
      traefik.tcp.routers.mailcow-https.entrypoints: websecure
      traefik.tcp.routers.mailcow-https.tls.passthrough: "true"
      traefik.tcp.routers.mailcow-https.service: mailcow-https
      traefik.tcp.services.mailcow-https.loadbalancer.server.port: 443

networks:
  traefik-proxy:
    external: true
    name: ${TRAEFIK_NETWORK:-coolify-proxy}