ansible-role-nextcloud-docker/templates/docker-compose.nextcloud.yml.j2

version: '3'

networks:
  public:
    external:
      name: traefik_public

services:
  mysqldb:
    image: mariadb:10.4.11
    container_name: mysqldb{{ nextcloud_multitenant_postfix }}
    hostname: mysqldb{{ nextcloud_multitenant_postfix }}
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
    volumes:
      - mysqldb{{ nextcloud_multitenant_postfix }}:/var/lib/mysql
      - /etc/localtime:/etc/localtime:ro
    env_file:
      - db.env
{% if nextcloud_enable_restic_compose_backup %}
    labels:
      - "restic-compose-backup.mariadb=true"
{% endif %}
    restart: unless-stopped

  nextcloud-app:
    image: nextcloud:apache
    container_name: nextcloud-app{{ nextcloud_multitenant_postfix }}
    hostname: nextcloud-app{{ nextcloud_multitenant_postfix }}
    networks:
      - public
      - default
    depends_on:
      - mysqldb
    volumes:
      - nextcloud{{ nextcloud_multitenant_postfix }}:/var/www/html
      - /etc/localtime:/etc/localtime:ro
    env_file:
      - nextcloud.env
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik_public"
      - "traefik.http.routers.nextcloud{{ nextcloud_multitenant_postfix }}.rule=Host(`{{ nextcloud_virtual_host }}`)"
      - "traefik.http.routers.nextcloud{{ nextcloud_multitenant_postfix }}.entrypoints=websecure"
      - "traefik.http.routers.nextcloud{{ nextcloud_multitenant_postfix }}.tls=true"
      - "traefik.http.routers.nextcloud{{ nextcloud_multitenant_postfix }}.tls.certresolver=defaultresolver"
      - "traefik.http.middlewares.nextcloud{{ nextcloud_multitenant_postfix }}-rep.redirectregex.regex=https://(.*)/.well-known/(card|cal)dav"
      - "traefik.http.middlewares.nextcloud{{ nextcloud_multitenant_postfix }}-rep.redirectregex.replacement=https://$$1/remote.php/dav/"
      - "traefik.http.middlewares.nextcloud{{ nextcloud_multitenant_postfix }}-rep.redirectregex.permanent=true"
      - "traefik.http.middlewares.nextcloud{{ nextcloud_multitenant_postfix }}-headers.headers.SSLRedirect=true"
      - "traefik.http.middlewares.nextcloud{{ nextcloud_multitenant_postfix }}-headers.headers.browserXSSFilter=true"
      - "traefik.http.middlewares.nextcloud{{ nextcloud_multitenant_postfix }}-headers.headers.contentTypeNosniff=true"
      - "traefik.http.middlewares.nextcloud{{ nextcloud_multitenant_postfix }}-headers.headers.forceSTSHeader=true"
      - "traefik.http.middlewares.nextcloud{{ nextcloud_multitenant_postfix }}-headers.headers.STSSeconds=315360000"
      - "traefik.http.middlewares.nextcloud{{ nextcloud_multitenant_postfix }}-headers.headers.STSIncludeSubdomains=true"
      - "traefik.http.middlewares.nextcloud{{ nextcloud_multitenant_postfix }}-headers.headers.STSPreload=true"
      - "traefik.http.middlewares.nextcloud{{ nextcloud_multitenant_postfix }}-headers.headers.featurePolicy=payment 'none'"
      - "traefik.http.middlewares.nextcloud{{ nextcloud_multitenant_postfix }}.headers.customFrameOptionsValue=SAMEORIGIN"
      #- "traefik.http.middlewares.nextcloud{{ nextcloud_multitenant_postfix }}-headers.headers.contentSecurityPolicy=default-src 'self'; img-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none'; block-all-mixed-content"
      - "traefik.http.routers.nextcloud{{ nextcloud_multitenant_postfix }}.middlewares=nextcloud{{ nextcloud_multitenant_postfix }}-rep,nextcloud{{ nextcloud_multitenant_postfix }}-headers"
{% if nextcloud_enable_restic_compose_backup %}
      - "restic-compose-backup.volumes=true"
      - "restic-compose-backup.volumes.include=nextcloud"
{% endif %}
    restart: unless-stopped

{% if nextcloud_enable_restic_compose_backup %}
  # The backup service
  backup:
    image: zettaio/restic-compose-backup:0.4.2
    container_name: backup{{ nextcloud_multitenant_postfix }}
    hostname: backup{{ nextcloud_multitenant_postfix }}
    env_file:
      - restic-compose-backup.env
    volumes:
      # We need to communicate with docker
      - /var/run/docker.sock:/tmp/docker.sock:ro
      # Persistent storage of restic cache (greatly speeds up all restic operations)
      - backup-cache{{ nextcloud_multitenant_postfix }}:/cache
{% endif %}

volumes:
  mysqldb{{ nextcloud_multitenant_postfix }}:
  nextcloud{{ nextcloud_multitenant_postfix }}:
{% if nextcloud_enable_restic_compose_backup %}
  backup-cache{{ nextcloud_multitenant_postfix }}:
{% endif %}