Make use of docker-compose.override.yml to track changes + completely disable ipv6

https://cloud.gnous.fr/apps/deck/#/board/4/card/25
https://docs.mailcow.email/post_installation/firststeps-disable_ipv6/

.gitignore

@@ -59,7 +59,6 @@ data/web/inc/vars.local.inc.php
 data/web/inc/app_info.inc.php
 data/web/nextcloud*/
 data/web/rc*/
-docker-compose.override.yml
 mailcow.conf
 mailcow.conf_backup
 rebuild-images.sh

data/conf/dovecot/dovecot.conf

@@ -159,7 +159,7 @@ service lmtp {
   }
   user = vmail
 }
-listen = *,[::]
+listen = *
 ssl_cert = </etc/ssl/mail/cert.pem
 ssl_key = </etc/ssl/mail/key.pem
 userdb {

data/conf/nginx/dynmaps.conf

@@ -1,6 +1,5 @@
 server {
   listen 8081;
-  listen [::]:8081;
   index index.php index.html;
   server_name _;
   error_log  /var/log/nginx/error.log;

data/conf/nginx/templates/listen_plain.template

@@ -1,2 +1 @@
 listen ${HTTP_PORT};
-listen [::]:${HTTP_PORT};

data/conf/nginx/templates/listen_ssl.template

@@ -1,2 +1 @@
 listen ${HTTPS_PORT} ssl http2;
-listen [::]:${HTTPS_PORT} ssl http2;

data/conf/phpfpm/php-fpm.d/pools.conf

@@ -6,7 +6,7 @@ pm.max_children = 15
 pm.start_servers = 2
 pm.min_spare_servers = 2
 pm.max_spare_servers = 4
-listen = [::]:9001
+listen = 9001
 access.log = /proc/self/fd/2
 clear_env = no
 catch_workers_output = yes
@@ -21,7 +21,7 @@ pm.max_children = 50
 pm.start_servers = 10
 pm.min_spare_servers = 10
 pm.max_spare_servers = 15
-listen = [::]:9002
+listen = 9002
 access.log = /proc/self/fd/2
 clear_env = no
 catch_workers_output = yes

docker-compose.override.yml

@@ -0,0 +1,58 @@
+version: '2.1'
+services:
+
+    nginx-mailcow:
+      expose:
+        - "${HTTP_PORT:-80}"
+      networks:
+        proxy:
+        mailcow-network:
+          aliases:
+            - nginx
+      labels:
+        - traefik.enable=true
+        - traefik.docker.network=proxy
+        - traefik.http.middlewares.mail-redirect-websecure.redirectscheme.scheme=https
+        - traefik.http.routers.mail-http.middlewares=mail-redirect-websecure
+        - traefik.http.routers.mail-http.rule=Host(`${MAILCOW_HOSTNAME}`)
+        - traefik.http.routers.mail-http.entrypoints=web
+        - traefik.http.routers.mail-https.rule=Host(`${MAILCOW_HOSTNAME}`)
+        - traefik.http.routers.mail-https.entrypoints=websecure
+        - traefik.http.routers.mail-https.tls=true
+        - traefik.http.routers.mail-https.tls.certresolver=myhttpchallenge
+        - traefik.http.services.mail.loadbalancer.server.port=80
+        - "co.elastic.logs/module=nginx"
+        - "co.elastic.logs/fileset=access"
+
+    certdumper:
+        image: humenius/traefik-certs-dumper
+        restart: always
+        # container_name: traefik_certdumper
+        network_mode: none
+        volumes:
+          # mount the folder which contains Traefik's `acme.json' file
+          #   in this case Traefik is started from its own docker-compose in ../traefik
+          - ${DATA_PATH}/traefik:/traefik:ro
+          # mount mailcow's SSL folder
+          - ./data/assets/ssl/:/output:rw
+        environment:
+          # only change this, if you're using another domain for mailcow's web frontend compared to the standard config
+          - DOMAIN=${MAILCOW_HOSTNAME}
+
+    ipv6nat-mailcow:
+      image: bash:latest
+      restart: "no"
+      entrypoint: ["echo", "ipv6nat disabled in compose.override.yml"]
+
+networks:
+  mailcow-network:
+    driver_opts:
+      com.docker.network.bridge.name: br-mailcow
+    enable_ipv6: false
+    ipam:
+      driver: default
+      config:
+        - subnet: ${IPV4_NETWORK:-172.22.1}.0/24
+        - subnet: ${IPV6_NETWORK:-fd4d:6169:6c63:6f77::/64}
+  proxy:
+      external: true

docker-compose.yml

@@ -375,44 +375,15 @@ services:
         - ./data/assets/ssl/:/etc/ssl/mail/:ro,z
         - ./data/conf/nginx/:/etc/nginx/conf.d/:z
         - ./data/conf/rspamd/meta_exporter:/meta_exporter:ro,z
-        - sogo-web-vol-1:/usr/lib/GNUstep/SOGo/:z
+        - sogo-web-vol-1:/usr/lib/GNUstep/SOGo/
-      expose:
+      # ports:
-        - "${HTTP_PORT:-80}"
+        # - "${HTTPS_BIND:-0.0.0.0}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}"
+        # - "${HTTP_BIND:-0.0.0.0}:${HTTP_PORT:-80}:${HTTP_PORT:-80}"
       restart: always
       networks:
-        proxy:
         mailcow-network:
           aliases:
             - nginx
-      labels:
-        - traefik.enable=true
-        - traefik.docker.network=proxy
-        - traefik.http.middlewares.mail-redirect-websecure.redirectscheme.scheme=https
-        - traefik.http.routers.mail-http.middlewares=mail-redirect-websecure
-        - traefik.http.routers.mail-http.rule=Host(`${MAILCOW_HOSTNAME}`)
-        - traefik.http.routers.mail-http.entrypoints=web
-        - traefik.http.routers.mail-https.rule=Host(`${MAILCOW_HOSTNAME}`)
-        - traefik.http.routers.mail-https.entrypoints=websecure
-        - traefik.http.routers.mail-https.tls=true
-        - traefik.http.routers.mail-https.tls.certresolver=myhttpchallenge
-        - traefik.http.services.mail.loadbalancer.server.port=80
-        - "co.elastic.logs/module=nginx"
-        - "co.elastic.logs/fileset=access"
-
-    certdumper:
-        image: humenius/traefik-certs-dumper
-        restart: always
-        # container_name: traefik_certdumper
-        network_mode: none
-        volumes:
-          # mount the folder which contains Traefik's `acme.json' file
-          #   in this case Traefik is started from its own docker-compose in ../traefik
-          - ${DATA_PATH}/traefik:/traefik:ro
-          # mount mailcow's SSL folder
-          - ./data/assets/ssl/:/output:rw
-        environment:
-          # only change this, if you're using another domain for mailcow's web frontend compared to the standard config
-          - DOMAIN=${MAILCOW_HOSTNAME}
 
     acme-mailcow:
       depends_on:
@@ -650,8 +621,6 @@ networks:
       config:
         - subnet: ${IPV4_NETWORK:-172.22.1}.0/24
         - subnet: ${IPV6_NETWORK:-fd4d:6169:6c63:6f77::/64}
-  proxy:
-      external: true
 
 volumes:
   vmail-vol-1: