version: '3'

networks:
  public:
    external:
      name: traefik_public

services:
  mysqldb:
    image: mariadb:10.4.11
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
    volumes:
      - mysqldb:/var/lib/mysql
      - /etc/localtime:/etc/localtime:ro
    env_file:
      - db.env
{% if nextcloud_enable_restic_compose_backup %}
    labels:
      - "restic-compose-backup.mariadb=true"
{% endif %}
    restart: unless-stopped

  nextcloud-app:
    image: nextcloud:27-fpm-alpine
    container_name: nextcloud-app
    depends_on:
      - mysqldb
    volumes:
      - nextcloud:/var/www/html
      - /etc/localtime:/etc/localtime:ro
    env_file:
      - nextcloud.env

  web:
    image: nginx
    restart: always
    depends_on:
      - nextcloud-app
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf:ro
      - /etc/localtime:/etc/localtime:ro
      - nextcloud:/var/www/html
    networks:
      - public
      - default
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik_public"
      - "traefik.http.routers.nextcloud.rule=Host(`{{ nextcloud_virtual_host }}`)"
      - "traefik.http.routers.nextcloud.entrypoints=websecure"
      - "traefik.http.routers.nextcloud.tls=true"
      - "traefik.http.routers.nextcloud.tls.certresolver=defaultresolver"
      - "traefik.http.middlewares.nextcloud-rep.redirectregex.regex=https://(.*)/.well-known/(card|cal)dav"
      - "traefik.http.middlewares.nextcloud-rep.redirectregex.replacement=https://$$1/remote.php/dav/"
      - "traefik.http.middlewares.nextcloud-rep.redirectregex.permanent=true"
      - "traefik.http.middlewares.nextcloud-headers.headers.SSLRedirect=true"
      - "traefik.http.middlewares.nextcloud-headers.headers.browserXSSFilter=true"
      - "traefik.http.middlewares.nextcloud-headers.headers.contentTypeNosniff=true"
      - "traefik.http.middlewares.nextcloud-headers.headers.forceSTSHeader=true"
      - "traefik.http.middlewares.nextcloud-headers.headers.STSSeconds=315360000"
      - "traefik.http.middlewares.nextcloud-headers.headers.STSIncludeSubdomains=true"
      - "traefik.http.middlewares.nextcloud-headers.headers.STSPreload=true"
      - "traefik.http.middlewares.nextcloud-headers.headers.featurePolicy=payment 'none'"
      - "traefik.http.middlewares.nextcloud.headers.customFrameOptionsValue=SAMEORIGIN"
      #- "traefik.http.middlewares.nextcloud-headers.headers.contentSecurityPolicy=default-src 'self'; img-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none'; block-all-mixed-content"
      - "traefik.http.routers.nextcloud.middlewares=nextcloud-rep,nextcloud-headers"
{% if nextcloud_enable_restic_compose_backup %}
      - "restic-compose-backup.volumes=true"
      - "restic-compose-backup.volumes.include=nextcloud"
{% endif %}
    restart: unless-stopped

{% if nextcloud_enable_restic_compose_backup %}
  # The backup service
  backup:
    image: zettaio/restic-compose-backup:0.4.2
    env_file:
      - restic-compose-backup.env
    volumes:
      # We need to communicate with docker
      - /var/run/docker.sock:/tmp/docker.sock:ro
      # Persistent storage of restic cache (greatly speeds up all restic operations)
      - backup-cache:/cache
{% endif %}

volumes:
  mysqldb:
  nextcloud:
{% if nextcloud_enable_restic_compose_backup %}
  backup-cache:
{% endif %}